Detections

Yara:

AgentTeslaV2

Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-06-30 09:25:01 2020-06-30 09:28:13 192 seconds Show Options Show Log
route = tor
2020-05-13 09:13:46,454 [root] INFO: Date set to: 20200630T08:48:36, timeout set to: 200
2020-06-30 08:48:36,031 [root] DEBUG: Starting analyzer from: C:\tmpq_mrpfl7
2020-06-30 08:48:36,031 [root] DEBUG: Storing results at: C:\DefHIITxvb
2020-06-30 08:48:36,031 [root] DEBUG: Pipe server name: \\.\PIPE\phplLJAKn
2020-06-30 08:48:36,031 [root] DEBUG: Python path: C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32
2020-06-30 08:48:36,031 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-06-30 08:48:36,046 [root] INFO: Automatically selected analysis package "exe"
2020-06-30 08:48:36,046 [root] DEBUG: Trying to import analysis package "exe"...
2020-06-30 08:48:36,078 [root] DEBUG: Imported analysis package "exe".
2020-06-30 08:48:36,093 [root] DEBUG: Trying to initialize analysis package "exe"...
2020-06-30 08:48:36,093 [root] DEBUG: Initialized analysis package "exe".
2020-06-30 08:48:36,171 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-06-30 08:48:36,171 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-06-30 08:48:36,171 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-06-30 08:48:36,203 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-06-30 08:48:36,203 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-06-30 08:48:36,234 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-06-30 08:48:36,249 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-06-30 08:48:36,265 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-06-30 08:48:36,265 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-06-30 08:48:36,296 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-06-30 08:48:36,296 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-06-30 08:48:36,296 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-06-30 08:48:36,312 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-06-30 08:48:36,312 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-06-30 08:48:36,312 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-06-30 08:48:36,312 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-06-30 08:48:36,312 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-06-30 08:48:36,312 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-06-30 08:48:36,312 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-06-30 08:48:36,312 [lib.api.screenshot] DEBUG: Importing 'math'
2020-06-30 08:48:36,312 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-06-30 08:48:37,812 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-06-30 08:48:37,875 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-06-30 08:48:37,890 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-06-30 08:48:37,890 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-06-30 08:48:37,890 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-06-30 08:48:37,906 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-06-30 08:48:37,906 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-06-30 08:48:37,921 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-06-30 08:48:37,921 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-06-30 08:48:37,937 [root] DEBUG: Initialized auxiliary module "Browser".
2020-06-30 08:48:37,937 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-06-30 08:48:37,937 [root] DEBUG: Started auxiliary module Browser
2020-06-30 08:48:37,937 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-06-30 08:48:37,937 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-06-30 08:48:37,937 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-06-30 08:48:37,937 [root] DEBUG: Started auxiliary module Curtain
2020-06-30 08:48:37,953 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-06-30 08:48:37,953 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-06-30 08:48:37,953 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-06-30 08:48:37,953 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-06-30 08:48:38,281 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-06-30 08:48:38,281 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-06-30 08:48:38,296 [root] DEBUG: Started auxiliary module DigiSig
2020-06-30 08:48:38,296 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-06-30 08:48:38,296 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-06-30 08:48:38,296 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-06-30 08:48:38,312 [root] DEBUG: Started auxiliary module Disguise
2020-06-30 08:48:38,328 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-06-30 08:48:38,328 [root] DEBUG: Initialized auxiliary module "Human".
2020-06-30 08:48:38,328 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-06-30 08:48:38,343 [root] DEBUG: Started auxiliary module Human
2020-06-30 08:48:38,343 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-06-30 08:48:38,343 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-06-30 08:48:38,343 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-06-30 08:48:38,343 [root] DEBUG: Started auxiliary module Procmon
2020-06-30 08:48:38,343 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-06-30 08:48:38,343 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-06-30 08:48:38,343 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-06-30 08:48:38,343 [root] DEBUG: Started auxiliary module Screenshots
2020-06-30 08:48:38,359 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-06-30 08:48:38,359 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-06-30 08:48:38,359 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-06-30 08:48:38,359 [root] DEBUG: Started auxiliary module Sysmon
2020-06-30 08:48:38,359 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-06-30 08:48:38,359 [root] DEBUG: Initialized auxiliary module "Usage".
2020-06-30 08:48:38,359 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-06-30 08:48:38,359 [root] DEBUG: Started auxiliary module Usage
2020-06-30 08:48:38,359 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-06-30 08:48:38,359 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-06-30 08:48:38,359 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-06-30 08:48:38,359 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-06-30 08:48:38,656 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Rebecca\AppData\Local\Temp\3fPRS.exe" with arguments "" with pid 5072
2020-06-30 08:48:38,656 [lib.api.process] INFO: Monitor config for process 5072: C:\tmpq_mrpfl7\dll\5072.ini
2020-06-30 08:48:38,671 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpq_mrpfl7\dll\lxqrURX.dll, loader C:\tmpq_mrpfl7\bin\UvSMnhQ.exe
2020-06-30 08:48:38,781 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\phplLJAKn.
2020-06-30 08:48:38,781 [root] DEBUG: Loader: Injecting process 5072 (thread 4972) with C:\tmpq_mrpfl7\dll\lxqrURX.dll.
2020-06-30 08:48:38,781 [root] DEBUG: Process image base: 0x00CF0000
2020-06-30 08:48:38,781 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-30 08:48:38,781 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-30 08:48:38,781 [root] DEBUG: Successfully injected DLL C:\tmpq_mrpfl7\dll\lxqrURX.dll.
2020-06-30 08:48:38,796 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 5072
2020-06-30 08:48:40,796 [lib.api.process] INFO: Successfully resumed process with pid 5072
2020-06-30 08:48:41,296 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 08:48:41,296 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 08:48:41,312 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 5072 at 0x6b650000, image base 0xcf0000, stack from 0x145000-0x150000
2020-06-30 08:48:41,328 [root] INFO: Loaded monitor into process with pid 5072
2020-06-30 08:48:41,343 [root] DEBUG: set_caller_info: Adding region at 0x00050000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-06-30 08:48:41,343 [root] DEBUG: set_caller_info: Adding region at 0x00630000 to caller regions list (ntdll::RtlDispatchException).
2020-06-30 08:48:41,625 [root] DEBUG: DLL loaded at 0x75B30000: C:\Windows\system32\cryptbase (0xc000 bytes).
2020-06-30 08:48:41,640 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x630000
2020-06-30 08:48:41,640 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00630000 size 0x400000.
2020-06-30 08:48:41,640 [root] DEBUG: DumpPEsInRange: Scanning range 0x630000 - 0x631000.
2020-06-30 08:48:41,718 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\DefHIITxvb\CAPE\5072_16624796164181330262020 (size 0xffe)
2020-06-30 08:48:41,718 [root] DEBUG: DumpRegion: Dumped stack region from 0x00630000, size 0x1000.
2020-06-30 08:48:41,718 [root] DEBUG: set_caller_info: Failed to dumping calling PE image at 0x00050000.
2020-06-30 08:48:41,734 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xbc amd local view 0x71720000 to global list.
2020-06-30 08:48:41,734 [root] DEBUG: DLL loaded at 0x71720000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7d000 bytes).
2020-06-30 08:48:41,734 [root] DEBUG: DLL unloaded from 0x76A30000.
2020-06-30 08:48:41,750 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd0 amd local view 0x00550000 to global list.
2020-06-30 08:48:41,765 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xcc amd local view 0x00550000 to global list.
2020-06-30 08:48:41,765 [root] DEBUG: DLL loaded at 0x750B0000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-30 08:48:41,781 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6A530000 for section view with handle 0xd0.
2020-06-30 08:48:41,781 [root] DEBUG: DLL loaded at 0x6A530000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x6ef000 bytes).
2020-06-30 08:48:41,796 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6C1F0000 for section view with handle 0xd0.
2020-06-30 08:48:42,078 [root] DEBUG: DLL loaded at 0x6C1F0000: C:\Windows\system32\MSVCR120_CLR0400 (0xf5000 bytes).
2020-06-30 08:48:42,140 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 5072, handle 0xf0.
2020-06-30 08:48:42,140 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf4 amd local view 0x002F0000 to global list.
2020-06-30 08:48:42,156 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf8 amd local view 0x00300000 to global list.
2020-06-30 08:48:42,156 [root] INFO: Disabling sleep skipping.
2020-06-30 08:48:42,156 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5072.
2020-06-30 08:48:42,156 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5072.
2020-06-30 08:48:42,171 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5072.
2020-06-30 08:48:42,171 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1f0 amd local view 0x05620000 to global list.
2020-06-30 08:48:42,203 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1f4 amd local view 0x66420000 to global list.
2020-06-30 08:48:42,218 [root] DEBUG: DLL loaded at 0x66420000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni (0x1393000 bytes).
2020-06-30 08:48:42,249 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x200 amd local view 0x6B5D0000 to global list.
2020-06-30 08:48:42,249 [root] DEBUG: DLL loaded at 0x6B5D0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x80000 bytes).
2020-06-30 08:48:42,249 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1fc amd local view 0x76500000 to global list.
2020-06-30 08:48:42,249 [root] DEBUG: DLL loaded at 0x76500000: C:\Windows\system32\OLEAUT32 (0x91000 bytes).
2020-06-30 08:48:42,265 [root] DEBUG: set_caller_info: Adding region at 0x00590000 to caller regions list (ntdll::NtQueryPerformanceCounter).
2020-06-30 08:48:42,375 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x59ffff
2020-06-30 08:48:42,375 [root] DEBUG: DumpMemory: Nothing to dump at 0x00590000!
2020-06-30 08:48:42,375 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00590000 size 0x10000.
2020-06-30 08:48:42,375 [root] DEBUG: DumpPEsInRange: Scanning range 0x590000 - 0x591000.
2020-06-30 08:48:42,375 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x590000-0x591000.
2020-06-30 08:48:42,937 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\DefHIITxvb\CAPE\5072_2022726876291330262020 (size 0x4e5)
2020-06-30 08:48:42,937 [root] DEBUG: DumpRegion: Dumped stack region from 0x00590000, size 0x1000.
2020-06-30 08:48:42,984 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5072.
2020-06-30 08:48:43,093 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5072.
2020-06-30 08:48:43,109 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5072.
2020-06-30 08:48:43,125 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5072.
2020-06-30 08:48:43,140 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5072.
2020-06-30 08:48:43,156 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5072.
2020-06-30 08:48:43,171 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5072.
2020-06-30 08:48:43,265 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x228 amd local view 0x68000000 to global list.
2020-06-30 08:48:43,265 [root] DEBUG: DLL loaded at 0x68000000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni (0xa10000 bytes).
2020-06-30 08:48:43,281 [root] DEBUG: OpenProcessHandler: Image base for process 5072 (handle 0x220): 0x00CF0000.
2020-06-30 08:48:43,609 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x238 amd local view 0x658C0000 to global list.
2020-06-30 08:48:43,609 [root] DEBUG: DLL loaded at 0x658C0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni (0x7e0000 bytes).
2020-06-30 08:48:43,734 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x234 amd local view 0x6AFF0000 to global list.
2020-06-30 08:48:43,750 [root] DEBUG: DLL loaded at 0x6AFF0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni (0x3f3000 bytes).
2020-06-30 08:48:43,765 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-06-30 08:48:43,781 [root] DEBUG: DLL loaded at 0x75390000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-06-30 08:48:44,187 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x23c amd local view 0x64D10000 to global list.
2020-06-30 08:48:44,203 [root] DEBUG: DLL loaded at 0x64D10000: C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni (0xbad000 bytes).
2020-06-30 08:48:44,546 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x63A00000 for section view with handle 0x234.
2020-06-30 08:48:44,562 [root] DEBUG: DLL loaded at 0x63A00000: C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni (0x1307000 bytes).
2020-06-30 08:48:45,281 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x67BE0000 for section view with handle 0x234.
2020-06-30 08:48:45,296 [root] DEBUG: DLL loaded at 0x67BE0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\15a0c54648649e65f75ca4010468c7e2\System.Xaml.ni (0x1f4000 bytes).
2020-06-30 08:48:45,593 [root] DEBUG: DLL loaded at 0x68CA0000: C:\Windows\system32\dwrite (0x136000 bytes).
2020-06-30 08:48:45,625 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x67840000 for section view with handle 0x234.
2020-06-30 08:48:45,671 [root] DEBUG: DLL loaded at 0x67840000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\wpfgfx_v0400 (0x149000 bytes).
2020-06-30 08:48:45,703 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6B550000 for section view with handle 0x234.
2020-06-30 08:48:45,750 [root] DEBUG: DLL loaded at 0x6B550000: C:\Windows\system32\MSVCP120_CLR0400 (0x78000 bytes).
2020-06-30 08:48:45,953 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x68B50000 for section view with handle 0x23c.
2020-06-30 08:48:45,953 [root] DEBUG: DLL loaded at 0x68B50000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationNative_v0400 (0xca000 bytes).
2020-06-30 08:48:46,093 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x240 amd local view 0x66280000 to global list.
2020-06-30 08:48:46,093 [root] DEBUG: DLL loaded at 0x66280000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni (0x194000 bytes).
2020-06-30 08:48:46,109 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x62CE0000 for section view with handle 0x238.
2020-06-30 08:48:46,109 [root] DEBUG: DLL loaded at 0x62CE0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni (0xd1d000 bytes).
2020-06-30 08:48:46,562 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x030F0000 for section view with handle 0x238.
2020-06-30 08:48:46,578 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6F470000 for section view with handle 0x23c.
2020-06-30 08:48:46,578 [root] DEBUG: DLL loaded at 0x6F470000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting (0x13000 bytes).
2020-06-30 08:48:46,578 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x07F90000 for section view with handle 0x23c.
2020-06-30 08:48:46,640 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x74560000 for section view with handle 0x240.
2020-06-30 08:48:46,640 [root] DEBUG: DLL loaded at 0x74560000: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\gdiplus (0x192000 bytes).
2020-06-30 08:48:46,656 [root] DEBUG: DLL loaded at 0x73E10000: C:\Windows\system32\WindowsCodecs (0x131000 bytes).
2020-06-30 08:48:46,687 [root] DEBUG: set_caller_info: Adding region at 0x00320000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-06-30 08:48:46,687 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x32ffff
2020-06-30 08:48:46,687 [root] DEBUG: DumpMemory: Nothing to dump at 0x00320000!
2020-06-30 08:48:46,687 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00320000 size 0x10000.
2020-06-30 08:48:46,687 [root] DEBUG: DumpPEsInRange: Scanning range 0x320000 - 0x321000.
2020-06-30 08:48:46,687 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x320000-0x321000.
2020-06-30 08:48:46,734 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\DefHIITxvb\CAPE\5072_1918261519691330262020 (size 0xf7)
2020-06-30 08:48:47,859 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x258 amd local view 0x67F30000 to global list.
2020-06-30 08:48:47,906 [root] DEBUG: DLL loaded at 0x67F30000: C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\5c5ed836d2a372987cc8f735310cc369\Microsoft.Build.Utilities.v4.0.ni (0xc8000 bytes).
2020-06-30 08:48:48,046 [root] DEBUG: DLL loaded at 0x75750000: C:\Windows\system32\bcrypt (0x17000 bytes).
2020-06-30 08:48:48,093 [root] DEBUG: DLL loaded at 0x75BD0000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-06-30 08:49:03,062 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5072.
2020-06-30 08:49:03,093 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5072.
2020-06-30 08:49:03,171 [root] DEBUG: set_caller_info: Adding region at 0x02AB0000 to caller regions list (ntdll::NtQueryPerformanceCounter).
2020-06-30 08:49:03,187 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x2abffff
2020-06-30 08:49:03,187 [root] DEBUG: DumpMemory: Nothing to dump at 0x02AB0000!
2020-06-30 08:49:03,187 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x02AB0000 size 0x10000.
2020-06-30 08:49:03,187 [root] DEBUG: DumpPEsInRange: Scanning range 0x2ab0000 - 0x2ab2000.
2020-06-30 08:49:03,187 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2ab0000-0x2ab2000.
2020-06-30 08:49:03,281 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\DefHIITxvb\CAPE\5072_42603720039131330262020 (size 0x1faf)
2020-06-30 08:49:03,281 [root] DEBUG: DumpRegion: Dumped stack region from 0x02AB0000, size 0x2000.
2020-06-30 08:49:03,296 [root] INFO: Announced 32-bit process name: 3fPRS.exe pid: 5232
2020-06-30 08:49:03,296 [lib.api.process] INFO: Monitor config for process 5232: C:\tmpq_mrpfl7\dll\5232.ini
2020-06-30 08:49:03,312 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpq_mrpfl7\dll\lxqrURX.dll, loader C:\tmpq_mrpfl7\bin\UvSMnhQ.exe
2020-06-30 08:49:03,343 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\phplLJAKn.
2020-06-30 08:49:03,343 [root] DEBUG: Loader: Injecting process 5232 (thread 5376) with C:\tmpq_mrpfl7\dll\lxqrURX.dll.
2020-06-30 08:49:03,343 [root] DEBUG: Process image base: 0x00CF0000
2020-06-30 08:49:03,343 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-30 08:49:03,359 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-30 08:49:03,359 [root] DEBUG: Successfully injected DLL C:\tmpq_mrpfl7\dll\lxqrURX.dll.
2020-06-30 08:49:03,359 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 5232
2020-06-30 08:49:03,375 [root] DEBUG: DLL loaded at 0x75AE0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-06-30 08:49:03,421 [root] DEBUG: CreateProcessHandler: Injection info set for new process 5232, ImageBase: 0x00CF0000
2020-06-30 08:49:03,437 [root] INFO: Announced 32-bit process name: 3fPRS.exe pid: 5232
2020-06-30 08:49:03,437 [lib.api.process] INFO: Monitor config for process 5232: C:\tmpq_mrpfl7\dll\5232.ini
2020-06-30 08:49:03,437 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpq_mrpfl7\dll\lxqrURX.dll, loader C:\tmpq_mrpfl7\bin\UvSMnhQ.exe
2020-06-30 08:49:03,453 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\phplLJAKn.
2020-06-30 08:49:03,453 [root] DEBUG: Loader: Injecting process 5232 (thread 5376) with C:\tmpq_mrpfl7\dll\lxqrURX.dll.
2020-06-30 08:49:03,453 [root] DEBUG: Process image base: 0x00CF0000
2020-06-30 08:49:03,453 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-30 08:49:03,468 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-30 08:49:03,468 [root] DEBUG: Successfully injected DLL C:\tmpq_mrpfl7\dll\lxqrURX.dll.
2020-06-30 08:49:03,468 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 5232
2020-06-30 08:49:03,640 [root] DEBUG: WriteMemoryHandler: Executable binary injected into process 5232 (ImageBase 0x400000)
2020-06-30 08:49:03,640 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-06-30 08:49:03,640 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x04BB1A50.
2020-06-30 08:49:03,703 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x44a00.
2020-06-30 08:49:03,703 [root] DEBUG: WriteMemoryHandler: Dumped PE image from buffer at 0x4bb1a50, SizeOfImage 0x4a000.
2020-06-30 08:49:03,703 [root] INFO: Announced 32-bit process name: 3fPRS.exe pid: 5232
2020-06-30 08:49:03,703 [lib.api.process] INFO: Monitor config for process 5232: C:\tmpq_mrpfl7\dll\5232.ini
2020-06-30 08:49:03,703 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpq_mrpfl7\dll\lxqrURX.dll, loader C:\tmpq_mrpfl7\bin\UvSMnhQ.exe
2020-06-30 08:49:03,718 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\phplLJAKn.
2020-06-30 08:49:03,718 [root] DEBUG: Loader: Injecting process 5232 (thread 0) with C:\tmpq_mrpfl7\dll\lxqrURX.dll.
2020-06-30 08:49:03,734 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 5376, handle 0xa0
2020-06-30 08:49:03,734 [root] DEBUG: Process image base: 0x00CF0000
2020-06-30 08:49:03,734 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-30 08:49:03,734 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-30 08:49:03,734 [root] DEBUG: Successfully injected DLL C:\tmpq_mrpfl7\dll\lxqrURX.dll.
2020-06-30 08:49:03,750 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 5232
2020-06-30 08:49:03,750 [root] DEBUG: WriteMemoryHandler: injection of section of PE image which has already been dumped.
2020-06-30 08:49:03,750 [root] INFO: Announced 32-bit process name: 3fPRS.exe pid: 5232
2020-06-30 08:49:03,750 [lib.api.process] INFO: Monitor config for process 5232: C:\tmpq_mrpfl7\dll\5232.ini
2020-06-30 08:49:03,765 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpq_mrpfl7\dll\lxqrURX.dll, loader C:\tmpq_mrpfl7\bin\UvSMnhQ.exe
2020-06-30 08:49:03,781 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\phplLJAKn.
2020-06-30 08:49:03,781 [root] DEBUG: Loader: Injecting process 5232 (thread 0) with C:\tmpq_mrpfl7\dll\lxqrURX.dll.
2020-06-30 08:49:03,781 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 13828096, handle 0x0
2020-06-30 08:49:03,812 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 08:49:03,812 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 08:49:03,828 [root] INFO: Disabling sleep skipping.
2020-06-30 08:49:03,828 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 5232 at 0x6b650000, image base 0xcf0000, stack from 0x566000-0x570000
2020-06-30 08:49:03,828 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Users\Rebecca\AppData\Local\Temp\3fPRS.exe".
2020-06-30 08:49:03,843 [root] INFO: Loaded monitor into process with pid 5232
2020-06-30 08:49:03,859 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-30 08:49:03,859 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-30 08:49:03,859 [root] DEBUG: Successfully injected DLL C:\tmpq_mrpfl7\dll\lxqrURX.dll.
2020-06-30 08:49:03,875 [root] DEBUG: WriteMemoryHandler: shellcode at 0x037BA7DC (size 0x600) injected into process 5232.
2020-06-30 08:49:03,906 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\DefHIITxvb\CAPE\5072_149056174439131330262020 (size 0x51d)
2020-06-30 08:49:03,906 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-06-30 08:49:03,906 [root] DEBUG: WriteMemoryHandler: shellcode at 0x037BB670 (size 0x200) injected into process 5232.
2020-06-30 08:49:04,156 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\DefHIITxvb\CAPE\5072_20520555939131330262020 (size 0x9)
2020-06-30 08:49:04,156 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-06-30 08:49:06,656 [root] DEBUG: SetThreadContextHandler: Hollow process entry point reset via NtSetContextThread to 0x00045E5E (process 5232).
2020-06-30 08:49:07,703 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 5232.
2020-06-30 08:49:07,718 [root] DEBUG: set_caller_info: Adding region at 0x00030000 to caller regions list (ntdll::LdrLoadDll).
2020-06-30 08:49:07,718 [root] DEBUG: DLL unloaded from 0x67840000.
2020-06-30 08:49:07,718 [root] DEBUG: set_caller_info: Adding region at 0x01B20000 to caller regions list (kernel32::GetSystemTime).
2020-06-30 08:49:07,750 [root] DEBUG: DLL loaded at 0x75B30000: C:\Windows\system32\cryptbase (0xc000 bytes).
2020-06-30 08:49:07,750 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x1b20000
2020-06-30 08:49:07,750 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x01B20000 size 0x400000.
2020-06-30 08:49:07,750 [root] DEBUG: DumpPEsInRange: Scanning range 0x1b20000 - 0x1b21000.
2020-06-30 08:49:07,750 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1b20000-0x1b21000.
2020-06-30 08:49:07,781 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\DefHIITxvb\CAPE\5232_285440744791330262020 (size 0xffe)
2020-06-30 08:49:07,781 [root] DEBUG: DumpRegion: Dumped stack region from 0x01B20000, size 0x1000.
2020-06-30 08:49:07,828 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\DefHIITxvb\CAPE\5232_1938422104791330262020 (size 0x12a)
2020-06-30 08:49:07,828 [root] DEBUG: DLL unloaded from 0x68B50000.
2020-06-30 08:49:07,828 [root] DEBUG: DumpRegion: Dumped stack region from 0x00030000, size 0x1000.
2020-06-30 08:49:07,828 [root] DEBUG: DLL loaded at 0x00450000: C:\tmpq_mrpfl7\dll\lxqrURX (0xd5000 bytes).
2020-06-30 08:49:07,843 [root] DEBUG: DLL unloaded from 0x72490000.
2020-06-30 08:49:07,843 [root] DEBUG: DLL unloaded from 0x76650000.
2020-06-30 08:49:07,843 [root] DEBUG: DLL unloaded from 0x72490000.
2020-06-30 08:49:07,859 [root] DEBUG: DLL unloaded from 0x76650000.
2020-06-30 08:49:07,859 [root] DEBUG: DLL unloaded from 0x00450000.
2020-06-30 08:49:07,859 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 5072
2020-06-30 08:49:07,875 [root] DEBUG: GetHookCallerBase: thread 4972 (handle 0x0), return address 0x6B681698, allocation base 0x6B650000.
2020-06-30 08:49:07,875 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00CF0000.
2020-06-30 08:49:07,875 [root] DEBUG: set_caller_info: Adding region at 0x00070000 to caller regions list (ntdll::LdrLoadDll).
2020-06-30 08:49:07,875 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x00CF2000
2020-06-30 08:49:07,875 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-06-30 08:49:07,875 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x00CF0000.
2020-06-30 08:49:07,875 [root] DEBUG: DumpPE: Empty or inaccessible last section, file image seems incomplete (from 0x00D83A00 to 0x00D83C00).
2020-06-30 08:49:07,906 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\DefHIITxvb\CAPE\5232_1542535175791330262020 (size 0x12a)
2020-06-30 08:49:07,906 [root] DEBUG: DumpPE: Error: Cannot dump PE file from memory.
2020-06-30 08:49:07,906 [root] DEBUG: DumpRegion: Dumped stack region from 0x00070000, size 0x1000.
2020-06-30 08:49:07,906 [root] DEBUG: DumpImageInCurrentProcess: Failed to dump 'raw' PE image from 0x00CF0000, dumping memory region.
2020-06-30 08:49:07,906 [root] DEBUG: DLL loaded at 0x00450000: C:\tmpq_mrpfl7\dll\lxqrURX (0xd5000 bytes).
2020-06-30 08:49:07,906 [root] DEBUG: DLL unloaded from 0x72490000.
2020-06-30 08:49:07,921 [root] DEBUG: DLL unloaded from 0x76650000.
2020-06-30 08:49:07,921 [root] DEBUG: DLL unloaded from 0x72490000.
2020-06-30 08:49:07,921 [root] DEBUG: DLL unloaded from 0x76650000.
2020-06-30 08:49:07,921 [root] DEBUG: DLL unloaded from 0x00450000.
2020-06-30 08:49:07,937 [root] DEBUG: set_caller_info: Adding region at 0x00080000 to caller regions list (ntdll::LdrLoadDll).
2020-06-30 08:49:07,953 [root] DEBUG: DLL unloaded from 0x76730000.
2020-06-30 08:49:07,968 [root] DEBUG: DLL unloaded from 0x6A530000.
2020-06-30 08:49:07,968 [root] DEBUG: DLL unloaded from 0x71720000.
2020-06-30 08:49:07,984 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 5072
2020-06-30 08:49:07,984 [root] DEBUG: GetHookCallerBase: thread 4972 (handle 0x0), return address 0x6B681698, allocation base 0x6B650000.
2020-06-30 08:49:07,984 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\DefHIITxvb\CAPE\5232_1634385759791330262020 (size 0x12a)
2020-06-30 08:49:08,000 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00CF0000.
2020-06-30 08:49:08,000 [root] DEBUG: DumpRegion: Dumped stack region from 0x00080000, size 0x1000.
2020-06-30 08:49:08,015 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x00CF2000
2020-06-30 08:49:08,015 [root] DEBUG: DLL loaded at 0x00450000: C:\tmpq_mrpfl7\dll\lxqrURX (0xd5000 bytes).
2020-06-30 08:49:08,015 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-06-30 08:49:08,015 [root] DEBUG: DLL unloaded from 0x72490000.
2020-06-30 08:49:08,031 [root] DEBUG: DLL unloaded from 0x76650000.
2020-06-30 08:49:08,031 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x00CF0000.
2020-06-30 08:49:08,046 [root] DEBUG: DumpPE: Empty or inaccessible last section, file image seems incomplete (from 0x00D83A00 to 0x00D83C00).
2020-06-30 08:49:08,062 [root] DEBUG: DLL unloaded from 0x72490000.
2020-06-30 08:49:08,062 [root] DEBUG: DLL unloaded from 0x76650000.
2020-06-30 08:49:08,062 [root] DEBUG: DLL unloaded from 0x00450000.
2020-06-30 08:49:08,093 [root] DEBUG: set_caller_info: Adding region at 0x000B0000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-06-30 08:49:08,093 [root] DEBUG: DumpPE: Error: Cannot dump PE file from memory.
2020-06-30 08:49:08,109 [root] DEBUG: set_caller_info: Failed to dumping calling PE image at 0x000B0000.
2020-06-30 08:49:08,109 [root] DEBUG: DumpImageInCurrentProcess: Failed to dump 'raw' PE image from 0x00CF0000, dumping memory region.
2020-06-30 08:49:08,125 [root] DEBUG: set_caller_info: Adding region at 0x00570000 to caller regions list (kernel32::FindFirstFileExW).
2020-06-30 08:49:08,125 [root] INFO: Process with pid 5072 has terminated
2020-06-30 08:49:08,343 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\DefHIITxvb\CAPE\5232_979058947891330262020 (size 0x100099)
2020-06-30 08:49:08,359 [root] DEBUG: DumpRegion: Dumped stack region from 0x00570000, size 0x101000.
2020-06-30 08:49:08,359 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xc4 amd local view 0x71720000 to global list.
2020-06-30 08:49:08,375 [root] DEBUG: DLL loaded at 0x71720000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7d000 bytes).
2020-06-30 08:49:08,390 [root] DEBUG: DLL unloaded from 0x76A30000.
2020-06-30 08:49:08,390 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 5232
2020-06-30 08:49:08,390 [root] DEBUG: GetHookCallerBase: thread 5376 (handle 0x0), return address 0x6B681698, allocation base 0x6B650000.
2020-06-30 08:49:08,406 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00CF0000.
2020-06-30 08:49:08,406 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x00CF2000
2020-06-30 08:49:08,406 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-06-30 08:49:08,406 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x00CF0000.
2020-06-30 08:49:08,406 [root] DEBUG: DumpPE: Empty or inaccessible last section, file image seems incomplete (from 0x00D83A00 to 0x00D83C00).
2020-06-30 08:49:08,453 [root] DEBUG: DumpPE: Error: Cannot dump PE file from memory.
2020-06-30 08:49:08,453 [root] DEBUG: DumpImageInCurrentProcess: Failed to dump 'raw' PE image from 0x00CF0000, dumping memory region.
2020-06-30 08:49:08,453 [root] DEBUG: DoProcessDump: Dumping 'new' Imagebase at 0x00400000.
2020-06-30 08:49:08,453 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-30 08:49:08,468 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-06-30 08:49:08,468 [root] DEBUG: DumpProcess: Module entry point VA is 0x00045E5E.
2020-06-30 08:49:08,531 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x44c00.
2020-06-30 08:49:08,531 [root] DEBUG: DLL unloaded from 0x76730000.
2020-06-30 08:49:08,546 [root] DEBUG: DLL unloaded from 0x71720000.
2020-06-30 08:49:08,562 [root] INFO: Process with pid 5232 has terminated
2020-06-30 08:49:27,984 [root] INFO: Process list is empty, terminating analysis.
2020-06-30 08:49:29,031 [root] INFO: Created shutdown mutex.
2020-06-30 08:49:30,031 [root] INFO: Shutting down package.
2020-06-30 08:49:30,031 [root] INFO: Stopping auxiliary modules.
2020-06-30 08:49:30,203 [lib.common.results] WARNING: File C:\DefHIITxvb\bin\procmon.xml doesn't exist anymore
2020-06-30 08:49:30,203 [root] INFO: Finishing auxiliary modules.
2020-06-30 08:49:30,203 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-06-30 08:49:30,203 [root] WARNING: Folder at path "C:\DefHIITxvb\debugger" does not exist, skip.
2020-06-30 08:49:30,218 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7_4 win7_4 KVM 2020-06-30 09:25:01 2020-06-30 09:28:13

File Details

File Name 3fPRS
File Size 605184 bytes
File Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
PE timestamp 2020-03-29 12:01:54
MD5 055ec8209736da7ea8ae8a2dd314feee
SHA1 3af70c9b799a9719b19935c38ec64b4cacbda211
SHA256 1955d466452cd025985e7bfff38c2c02bd9000a50c47d75ac4d9303a726c074e
SHA512 7744bc1058bcdf3682d20af3b5f967eafb52ecf6589fae71446734ff487e63e5157834993f1ad05636204dea70c629601765e356d90e2e25afc9e3141b42ac89
CRC32 296E9DAD
Ssdeep 6144:QNmbL0AvosTbY3n7unO21wuOTqHV48NONHStd/EnN98AqZePr5:QMVv64T12qHZ/E78AqZ+
CAPE Yara
  • AgentTeslaV2 Payload - Author: ditekshen
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 5232 trigged the Yara rule 'AgentTeslaV2'
Hit: PID 5072 trigged the Yara rule 'AgentTeslaV2'
Creates RWX memory
Guard pages use detected - possible anti-debugging.
Dynamic (imported) function loading detected
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: clr.dll/SetRuntimeInfo
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: clr.dll/_CorExeMain
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: MSCOREE.DLL/CreateConfigStream
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: KERNEL32.dll/GetNumaHighestNodeNumber
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/AddSIDToBoundaryDescriptor
DynamicLoader: KERNEL32.dll/CreateBoundaryDescriptorW
DynamicLoader: KERNEL32.dll/CreatePrivateNamespaceW
DynamicLoader: KERNEL32.dll/OpenPrivateNamespaceW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/DeleteBoundaryDescriptor
DynamicLoader: KERNEL32.dll/WerRegisterRuntimeExceptionModule
DynamicLoader: KERNEL32.dll/RaiseException
DynamicLoader: MSCOREE.DLL/
DynamicLoader: mscoreei.dll/
DynamicLoader: KERNELBASE.dll/SetSystemFileCacheSize
DynamicLoader: ntdll.dll/NtSetSystemInformation
DynamicLoader: KERNELBASE.dll/PrivIsDllSynchronizationHeld
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/SortGetHandle
DynamicLoader: KERNEL32.dll/SortCloseHandle
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: clrjit.dll/sxsJitStartup
DynamicLoader: clrjit.dll/jitStartup
DynamicLoader: clrjit.dll/getJit
DynamicLoader: KERNEL32.dll/GetCurrentProcessId
DynamicLoader: KERNEL32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/OpenProcess
DynamicLoader: KERNEL32.dll/OpenProcessW
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: PSAPI.DLL/EnumProcessModulesW
DynamicLoader: PSAPI.DLL/GetModuleInformation
DynamicLoader: PSAPI.DLL/GetModuleInformationW
DynamicLoader: PSAPI.DLL/GetModuleBaseName
DynamicLoader: PSAPI.DLL/GetModuleBaseNameW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: PSAPI.DLL/GetModuleFileNameEx
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/LocaleNameToLCID
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/LCIDToLocaleName
DynamicLoader: KERNEL32.dll/GetUserPreferredUILanguages
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: KERNEL32.dll/DeleteFile
DynamicLoader: KERNEL32.dll/DeleteFileW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: MSVCR120_CLR0400.dll/[email protected]@Z
DynamicLoader: USER32.dll/SetProcessDPIAware
DynamicLoader: KERNEL32.dll/GetEnvironmentVariableW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: SHLWAPI.dll/PathAppendW
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/LoadLibraryExW
DynamicLoader: dwrite.dll/DWriteCreateFactory
DynamicLoader: SHLWAPI.dll/PathCombineW
DynamicLoader: KERNEL32.dll/LoadLibraryW
DynamicLoader: GDI32.dll/GdiEntry13
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: KERNEL32.dll/CompareStringOrdinal
DynamicLoader: KERNEL32.dll/SetThreadErrorMode
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: KERNEL32.dll/ResolveLocaleName
DynamicLoader: nlssorting.dll/SortGetHandle
DynamicLoader: nlssorting.dll/SortCloseHandle
DynamicLoader: gdiplus.dll/GdiplusStartup
DynamicLoader: KERNEL32.dll/IsProcessorFeaturePresent
DynamicLoader: USER32.dll/GetWindowInfo
DynamicLoader: USER32.dll/GetAncestor
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/EnumDisplayDevicesA
DynamicLoader: GDI32.dll/ExtTextOutW
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: gdiplus.dll/GdipLoadImageFromStream
DynamicLoader: WindowsCodecs.dll/DllGetClassObject
DynamicLoader: gdiplus.dll/GdipImageForceValidation
DynamicLoader: gdiplus.dll/GdipGetImageType
DynamicLoader: gdiplus.dll/GdipGetImageRawFormat
DynamicLoader: gdiplus.dll/GdipGetImageWidth
DynamicLoader: gdiplus.dll/GdipGetImageHeight
DynamicLoader: gdiplus.dll/GdipGetImageEncodersSize
DynamicLoader: gdiplus.dll/GdipGetImageEncoders
DynamicLoader: KERNEL32.dll/LocalFree
DynamicLoader: gdiplus.dll/GdipSaveImageToStream
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: gdiplus.dll/GdipCreateBitmapFromStream
DynamicLoader: gdiplus.dll/GdipBitmapLockBits
DynamicLoader: gdiplus.dll/GdipBitmapUnlockBits
DynamicLoader: KERNEL32.dll/GetTempPath
DynamicLoader: KERNEL32.dll/GetTempPathW
DynamicLoader: bcrypt.dll/BCryptGetFipsAlgorithmMode
DynamicLoader: ntdll.dll/NtQueryInformationThread
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: KERNEL32.dll/CreateWaitableTimerExW
DynamicLoader: KERNEL32.dll/SetWaitableTimerEx
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: ole32.dll/CoWaitForMultipleHandles
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ADVAPI32.dll/CreateProcessAsUser
DynamicLoader: ADVAPI32.dll/CreateProcessAsUserW
DynamicLoader: CRYPTSP.dll/CryptGetDefaultProviderW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: KERNEL32.dll/GetThreadContext
DynamicLoader: KERNEL32.dll/ReadProcessMemory
DynamicLoader: KERNEL32.dll/VirtualAllocEx
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/WriteProcessMemory
DynamicLoader: KERNEL32.dll/SetThreadContext
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/ResumeThread
DynamicLoader: KERNEL32.dll/FreeLibrary
DynamicLoader: MSVCR120_CLR0400.dll/[email protected]@Z
DynamicLoader: MSVCR120_CLR0400.dll/_unlock
DynamicLoader: MSVCR120_CLR0400.dll/_lock
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: gdiplus.dll/GdipDisposeImage
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: KERNEL32.dll/CreateActCtxW
DynamicLoader: KERNEL32.dll/AddRefActCtx
DynamicLoader: KERNEL32.dll/ReleaseActCtx
DynamicLoader: KERNEL32.dll/ActivateActCtx
DynamicLoader: KERNEL32.dll/DeactivateActCtx
DynamicLoader: KERNEL32.dll/GetCurrentActCtx
DynamicLoader: KERNEL32.dll/QueryActCtxW
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: ADVAPI32.dll/EventUnregister
CAPE extracted potentially suspicious content
3fPRS.exe: AgentTeslaV2 Payload: 32-bit executable
3fPRS.exe: AgentTeslaV2
3fPRS.exe: Injected Shellcode/Data
3fPRS.exe: Unpacked Shellcode
3fPRS.exe: Unpacked Shellcode
3fPRS.exe: Unpacked Shellcode
3fPRS.exe: Unpacked Shellcode
3fPRS.exe: Injected Shellcode/Data
3fPRS.exe: Unpacked Shellcode
3fPRS.exe: Unpacked Shellcode
3fPRS.exe: Unpacked Shellcode
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Rebecca\AppData\Local\Temp\3fPRS
Attempts to remove evidence of file being downloaded from the Internet
file: C:\Users\Rebecca\AppData\Local\Temp\3fPRS.exe:Zone.Identifier
Behavioural detection: Injection (Process Hollowing)
Injection: 3fPRS.exe(5072) -> 3fPRS.exe(5232)
Executed a process and injected code into it, probably while unpacking
Injection: 3fPRS.exe(5072) -> 3fPRS.exe(5232)
Behavioural detection: Injection (inter-process)
Behavioural detection: Injection with CreateRemoteThread in a remote process
Network activity detected but not expressed in API logs
CAPE detected the AgentTeslaV2 malware family
Mimics icon used for popular non-executable file format
Created network traffic indicative of malicious activity
signature: ET JA3 Hash - Possible Malware - Various Malspam/RigEK

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States

DNS

No domains contacted.


Summary

C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\Rebecca\AppData\Local\Temp\3fPRS.exe.config
C:\Users\Rebecca\AppData\Local\Temp\3fPRS.exe
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-2.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSVCR120_CLR0400.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\System32\api-ms-win-core-quirks-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.localgac
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll.aux
C:\Users
C:\Users\Rebecca
C:\Users\Rebecca\AppData
C:\Users\Rebecca\AppData\Local
C:\Users\Rebecca\AppData\Local\Temp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ole32.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\lelea\*
C:\Users\Rebecca\AppData\Local\Temp\3fPRS.INI
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol224.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\Microsoft.Net\assembly\GAC_32\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\psapi.dll
C:\Users\Rebecca\AppData\Local\Temp\3fPRS.exe:Zone.Identifier
C:\Windows\Microsoft.Net\assembly\GAC_32\PresentationFramework\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\PresentationFramework\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xaml\v4.0_4.0.0.0__b77a5c561934e089\System.Xaml.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\PresentationCore.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Input.Manipulations\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Input.Manipulations.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\ReachFramework\v4.0_4.0.0.0__31bf3856ad364e35\ReachFramework.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\PresentationUI\v4.0_4.0.0.0__31bf3856ad364e35\PresentationUI.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Printing\v4.0_4.0.0.0__31bf3856ad364e35\System.Printing.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\15a0c54648649e65f75ca4010468c7e2\System.Xaml.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\15a0c54648649e65f75ca4010468c7e2\System.Xaml.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\SHLWAPI.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\wpfgfx_v0400.dll
C:\Users\Rebecca\AppData\Local\Temp\MSVCP120_CLR0400.dll
C:\Windows\System32\MSVCP120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationNative_v0400.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\ntdll.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\lelea.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\lelea.resources\lelea.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en-US\lelea.resources.exe
C:\Users\Rebecca\AppData\Local\Temp\en-US\lelea.resources\lelea.resources.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Users\Rebecca\AppData\Local\Temp\en\lelea.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en\lelea.resources\lelea.resources.dll
C:\Users\Rebecca\AppData\Local\Temp\en\lelea.resources.exe
C:\Users\Rebecca\AppData\Local\Temp\en\lelea.resources\lelea.resources.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Users\Rebecca\AppData\Local\Temp\3fPRS.exe.Local\
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\GdiPlus.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.Build.Utilities.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v4.0.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.Build.Utilities.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v4.0.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\5c5ed836d2a372987cc8f735310cc369\Microsoft.Build.Utilities.v4.0.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\5c5ed836d2a372987cc8f735310cc369\Microsoft.Build.Utilities.v4.0.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\bcrypt.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\Rebecca\AppData\Local\Temp\3fPRS.exe.config
C:\Users\Rebecca\AppData\Local\Temp\3fPRS.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol224.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c8a2021e940773064c655a6ea6ee8cb2\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\fad2ba18a244bf307910025c81b52f1e\WindowsBase.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4f7c4bba7641e71c1b15384ca408fa9b\PresentationCore.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\2cf8ec33054bf9d59892861776b13716\PresentationFramework.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\15a0c54648649e65f75ca4010468c7e2\System.Xaml.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\15a0c54648649e65f75ca4010468c7e2\System.Xaml.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\wpfgfx_v0400.dll
C:\Windows\System32\MSVCP120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationNative_v0400.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24308_none_5c028e37a0121035\GdiPlus.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\5c5ed836d2a372987cc8f735310cc369\Microsoft.Build.Utilities.v4.0.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\5c5ed836d2a372987cc8f735310cc369\Microsoft.Build.Utilities.v4.0.ni.dll
C:\Users\Rebecca\AppData\Local\Temp\3fPRS.exe:Zone.Identifier
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3fPRS.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index224
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.PresentationFramework__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.PresentationFramework__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.WindowsBase__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.WindowsBase__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xaml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xaml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.PresentationCore__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.PresentationCore__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.UIAutomationTypes__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.UIAutomationTypes__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Input.Manipulations__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Input.Manipulations__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.UIAutomationProvider__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.UIAutomationProvider__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.ReachFramework__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.ReachFramework__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.PresentationUI__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.PresentationUI__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Printing__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Printing__31bf3856ad364e35
HKEY_LOCAL_MACHINE\Software\Microsoft\Net Framework Setup\NDP\v4\Client
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Client\InstallPath
HKEY_LOCAL_MACHINE\Software\Microsoft\Avalon.Graphics
HKEY_CURRENT_USER\Software\Microsoft\Avalon.Graphics
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-479431668-4257340731-3059248302-1002\Installer\Assemblies\C:|Users|Rebecca|AppData|Local|Temp|3fPRS.exe
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|Rebecca|AppData|Local|Temp|3fPRS.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|Rebecca|AppData|Local|Temp|3fPRS.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-479431668-4257340731-3059248302-1002\Installer\Assemblies\Global
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Microsoft.Build.Utilities.v4.0__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Microsoft.Build.Utilities.v4.0__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Microsoft.Build.Framework__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Microsoft.Build.Framework__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\3fPRS.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\FABE2EDC
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
\xab90fEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index224
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Client\InstallPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\FABE2EDC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
\xab90fEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.SetDefaultDllDirectories
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
advapi32.dll.EventRegister
advapi32.dll.EventSetInformation
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
clr.dll.SetRuntimeInfo
user32.dll.GetProcessWindowStation
user32.dll.GetUserObjectInformationW
clr.dll._CorExeMain
mscoree.dll.CreateConfigStream
mscoreei.dll.CreateConfigStream
kernel32.dll.GetNumaHighestNodeNumber
kernel32.dll.GetSystemWindowsDirectoryW
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddSIDToBoundaryDescriptor
kernel32.dll.CreateBoundaryDescriptorW
kernel32.dll.CreatePrivateNamespaceW
kernel32.dll.OpenPrivateNamespaceW
kernel32.dll.DeleteBoundaryDescriptor
kernel32.dll.WerRegisterRuntimeExceptionModule
kernel32.dll.RaiseException
mscoree.dll.#24
mscoreei.dll.#24
ntdll.dll.NtSetSystemInformation
kernel32.dll.AddDllDirectory
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
ole32.dll.CoGetContextToken
clrjit.dll.sxsJitStartup
clrjit.dll.getJit
kernel32.dll.GetCurrentProcessId
advapi32.dll.LookupPrivilegeValueW
kernel32.dll.GetCurrentProcess
advapi32.dll.AdjustTokenPrivileges
kernel32.dll.CloseHandle
kernel32.dll.OpenProcess
psapi.dll.EnumProcessModules
psapi.dll.GetModuleInformation
psapi.dll.GetModuleBaseNameW
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
psapi.dll.GetModuleFileNameExW
kernel32.dll.LocaleNameToLCID
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetUserPreferredUILanguages
kernel32.dll.GetFullPathNameW
kernel32.dll.DeleteFileW
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptExportKey
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptHashData
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
cryptsp.dll.CryptDestroyKey
kernel32.dll.LocalAlloc
[email protected]@Z
user32.dll.SetProcessDPIAware
kernel32.dll.GetEnvironmentVariableW
shlwapi.dll.PathAppendW
kernel32.dll.GetModuleHandleW
kernel32.dll.GetProcAddress
kernel32.dll.LoadLibraryExW
dwrite.dll.DWriteCreateFactory
shlwapi.dll.PathCombineW
kernel32.dll.LoadLibraryW
gdi32.dll.GdiEntry13
advapi32.dll.EventWrite
advapi32.dll.EventUnregister
ntdll.dll.NtQuerySystemInformation
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
kernel32.dll.CompareStringOrdinal
kernel32.dll.SetThreadErrorMode
kernel32.dll.GetFileAttributesExW
kernel32.dll.ResolveLocaleName
nlssorting.dll.SortGetHandle
nlssorting.dll.SortCloseHandle
gdiplus.dll.GdiplusStartup
kernel32.dll.IsProcessorFeaturePresent
user32.dll.GetWindowInfo
user32.dll.GetAncestor
user32.dll.GetMonitorInfoA
user32.dll.EnumDisplayMonitors
user32.dll.EnumDisplayDevicesA
gdi32.dll.ExtTextOutW
gdi32.dll.GdiIsMetaPrintDC
gdiplus.dll.GdipLoadImageFromStream
windowscodecs.dll.DllGetClassObject
gdiplus.dll.GdipImageForceValidation
gdiplus.dll.GdipGetImageType
gdiplus.dll.GdipGetImageRawFormat
gdiplus.dll.GdipGetImageWidth
gdiplus.dll.GdipGetImageHeight
gdiplus.dll.GdipGetImageEncodersSize
gdiplus.dll.GdipGetImageEncoders
kernel32.dll.LocalFree
gdiplus.dll.GdipSaveImageToStream
oleaut32.dll.#8
oleaut32.dll.#9
oleaut32.dll.#10
gdiplus.dll.GdipCreateBitmapFromStream
gdiplus.dll.GdipBitmapLockBits
gdiplus.dll.GdipBitmapUnlockBits
kernel32.dll.GetTempPathW
bcrypt.dll.BCryptGetFipsAlgorithmMode
ntdll.dll.NtQueryInformationThread
kernel32.dll.CreateWaitableTimerExW
kernel32.dll.SetWaitableTimerEx
ole32.dll.CoWaitForMultipleHandles
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
cryptsp.dll.CryptGenRandom
ole32.dll.NdrOleInitializeExtension
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
ole32.dll.CoUninitialize
advapi32.dll.CreateProcessAsUserW
cryptsp.dll.CryptGetDefaultProviderW
ole32.dll.CoCreateGuid
kernel32.dll.GetThreadContext
kernel32.dll.ReadProcessMemory
kernel32.dll.VirtualAllocEx
kernel32.dll.WriteProcessMemory
kernel32.dll.SetThreadContext
kernel32.dll.ResumeThread
kernel32.dll.FreeLibrary
[email protected]@Z
msvcr120_clr0400.dll._unlock
msvcr120_clr0400.dll._lock
gdiplus.dll.GdipDisposeImage
cryptsp.dll.CryptReleaseContext
kernel32.dll.CreateActCtxW
kernel32.dll.AddRefActCtx
kernel32.dll.ReleaseActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.DeactivateActCtx
kernel32.dll.GetCurrentActCtx
kernel32.dll.QueryActCtxW
"C:\Users\Rebecca\AppData\Local\Temp\3fPRS.exe"

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash Icon Icon Exact Hash Icon Similarity Hash
0x00400000 0x00490bfe 0x00000000 0x000a0c54 4.0 2020-03-29 12:01:54 f34d5f2d4577ed6d9ceec516c1f5a744 ae64ad60d7874fa95655e2b501ae81a5 b028e87be8035706c824434b691dba1b

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00000200 0x00002000 0x0008ec04 0x0008ee00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.20
.rsrc 0x0008f000 0x00092000 0x000048ae 0x00004a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.08
.reloc 0x00093a00 0x00098000 0x0000000c 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 0.06

Resources

Name Offset Size Language Sub-language Entropy File type
RT_ICON 0x00092130 0x00004228 LANG_NEUTRAL SUBLANG_NEUTRAL 5.04 None
RT_GROUP_ICON 0x00096358 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL 1.92 None
RT_VERSION 0x0009636c 0x00000358 LANG_NEUTRAL SUBLANG_NEUTRAL 3.61 None
RT_MANIFEST 0x000966c4 0x000001ea LANG_NEUTRAL SUBLANG_NEUTRAL 5.00 None

Imports


Assembly Information

Name lelea
Version 1.0.0.0

Assembly References

Name Version
mscorlib 4.0.0.0
PresentationFramework 4.0.0.0
System.Xaml 4.0.0.0
System 4.0.0.0
System.Drawing 4.0.0.0
System.Windows.Forms 4.0.0.0
System.Management 4.0.0.0
Microsoft.Build.Utilities.v4.0 4.0.0.0
cEVVUEwqFsUHTWefJBsfbIyNvvkgA 0.0.0.0
System.Core 4.0.0.0

Custom Attributes

Type Name Value
Assembly [mscorlib]System.Reflection.AssemblyDescriptionAttribute b^4DFq~6j2A$&r
Assembly [mscorlib]System.Reflection.AssemblyTitleAttribute X$x92aH%#N5e6mA^
Assembly [mscorlib]System.Reflection.AssemblyCompanyAttribute 9d$TtD3*6/PzS7f
Assembly [mscorlib]System.Reflection.AssemblyCopyrightAttribute Copyright \xa9 2012 - 20
Assembly [mscorlib]System.Reflection.AssemblyFileVersionAttribute 5.7.9.
Assembly [mscorlib]System.Reflection.AssemblyTrademarkAttribute 4b*PB%8d7Jp
Assembly [mscorlib]System.Runtime.InteropServices.GuidAttribute 315e2352-410a-47d1-9f66-cd31996038

Type References

Assembly Type Name
mscorlib System.Runtime.CompilerServices.SuppressIldasmAttribute
mscorlib System.Reflection.Assembly
mscorlib System.ResolveEventArgs
mscorlib System.ValueType
mscorlib System.Object
mscorlib System.IO.Stream
mscorlib System.Environment
mscorlib System.Environment/SpecialFolder
mscorlib System.Globalization.CultureInfo
mscorlib System.Text.StringBuilder
PresentationFramework System.Windows.Controls.UserControl
System.Xaml System.Windows.Markup.IComponentConnector
mscorlib System.Security.Cryptography.HashAlgorithm
mscorlib System.Collections.Generic.Dictionary`2
mscorlib System.IO.FileStream
System System.Diagnostics.Process
mscorlib System.IO.MemoryStream
mscorlib System.IDisposable
mscorlib System.IO.FileMode
mscorlib System.IO.FileAccess
mscorlib System.IO.FileShare
mscorlib System.IO.StreamReader
mscorlib System.IO.TextReader
System System.Uri
System System.UriKind
mscorlib System.Security.Cryptography.SHA256Managed
System System.Diagnostics.ProcessModule
mscorlib System.Collections.Generic.IList`1
mscorlib System.Type
mscorlib System.RuntimeTypeHandle
System.Drawing System.Drawing.Bitmap
System.Drawing System.Drawing.Rectangle
System.Drawing System.Drawing.Image
mscorlib System.Random
System.Drawing System.Drawing.Imaging.ImageFormat
System.Drawing System.Drawing.Size
mscorlib System.Diagnostics.StackTrace
mscorlib System.Diagnostics.StackFrame
mscorlib System.InvalidOperationException
mscorlib System.Reflection.MethodBase
mscorlib System.Reflection.Module
mscorlib System.Reflection.MemberInfo
mscorlib System.Resources.ResourceManager
mscorlib System.MulticastDelegate
mscorlib System.IAsyncResult
mscorlib System.AsyncCallback
mscorlib System.Enum
System.Drawing System.Drawing.Imaging.BitmapData
mscorlib System.Threading.Tasks.Task
mscorlib System.StringComparison
System.Windows.Forms System.Windows.Forms.DialogResult
System.Windows.Forms System.Windows.Forms.MessageBoxButtons
System.Windows.Forms System.Windows.Forms.MessageBoxIcon
System.Management System.Management.ManagementObjectSearcher
System.Management System.Management.ManagementObjectCollection
System.Management System.Management.ManagementObjectCollection/ManagementObjectEnumerator
System.Management System.Management.ManagementBaseObject
mscorlib System.AppDomain
mscorlib System.Reflection.AssemblyName
mscorlib System.Reflection.Emit.AssemblyBuilder
mscorlib System.Reflection.Emit.AssemblyBuilderAccess
mscorlib System.Reflection.Emit.ModuleBuilder
mscorlib System.Reflection.Emit.MethodBuilder
mscorlib System.Reflection.MethodAttributes
mscorlib System.Reflection.CallingConventions
mscorlib System.Runtime.InteropServices.CallingConvention
mscorlib System.Runtime.InteropServices.CharSet
mscorlib System.Reflection.MethodImplAttributes
mscorlib System.Reflection.MethodInfo
mscorlib System.Exception
PresentationFramework System.Windows.MessageBoxResult
PresentationFramework System.Windows.Window
System.Drawing System.Drawing.Imaging.ImageLockMode
System.Drawing System.Drawing.Imaging.PixelFormat
mscorlib System.Array
mscorlib System.Threading.WaitHandle
mscorlib Microsoft.Win32.SafeHandles.SafeWaitHandle
PresentationFramework System.Windows.Controls.Page
Microsoft.Build.Utilities.v4.0 Microsoft.Build.Utilities.TargetDotNetFrameworkVersion
mscorlib System.ArgumentNullException
System System.IO.Compression.DeflateStream
System System.IO.Compression.CompressionMode
System System.Diagnostics.ProcessStartInfo
mscorlib System.Security.Policy.Zone
mscorlib System.Security.SecurityZone
System System.Configuration.ApplicationSettingsBase
System System.Configuration.SettingsBase
mscorlib System.IO.BinaryReader
mscorlib System.Text.Encoding
mscorlib System.Decimal
mscorlib System.Collections.Hashtable
mscorlib System.RuntimeFieldHandle
mscorlib System.Reflection.AssemblyDescriptionAttribute
mscorlib System.Reflection.AssemblyTitleAttribute
mscorlib System.Runtime.CompilerServices.RuntimeCompatibilityAttribute
mscorlib System.Runtime.CompilerServices.CompilationRelaxationsAttribute
mscorlib System.Reflection.AssemblyCompanyAttribute
mscorlib System.Reflection.AssemblyCopyrightAttribute
mscorlib System.Reflection.AssemblyConfigurationAttribute
mscorlib System.Reflection.AssemblyFileVersionAttribute
mscorlib System.Runtime.InteropServices.ComVisibleAttribute
mscorlib System.Runtime.Versioning.TargetFrameworkAttribute
mscorlib System.Reflection.AssemblyTrademarkAttribute
PresentationFramework System.Windows.ThemeInfoAttribute
PresentationFramework System.Windows.ResourceDictionaryLocation
mscorlib System.Reflection.AssemblyProductAttribute
mscorlib System.Runtime.InteropServices.GuidAttribute
System System.ComponentModel.EditorBrowsableAttribute
System System.ComponentModel.EditorBrowsableState
mscorlib System.STAThreadAttribute
mscorlib System.FlagsAttribute
mscorlib System.Runtime.CompilerServices.CompilerGeneratedAttribute
System System.CodeDom.Compiler.GeneratedCodeAttribute
mscorlib System.Diagnostics.DebuggerNonUserCodeAttribute
mscorlib System.Security.SecuritySafeCriticalAttribute
mscorlib System.Char
mscorlib System.Runtime.CompilerServices.RuntimeHelpers
mscorlib System.Byte
mscorlib System.UInt32
mscorlib System.Collections.IEnumerable
mscorlib System.Buffer
mscorlib System.String
mscorlib System.Collections.IStructuralComparable
mscorlib System.Math
mscorlib System.Guid
mscorlib System.IFormatProvider
mscorlib System.ICloneable
mscorlib System.IntPtr
mscorlib System.Int32
mscorlib System.IConvertible
mscorlib System.Collections.Generic.IEnumerable`1
mscorlib System.IO.Path
mscorlib System.IO.File
PresentationFramework System.Windows.Application
mscorlib System.IComparable`1
mscorlib System.Collections.Generic.ICollection`1
System System.ComponentModel.Component
System.Drawing System.Drawing.Point
System.Core System.Linq.Enumerable
mscorlib System.Runtime.InteropServices.Marshal
mscorlib System.Boolean
mscorlib Microsoft.Win32.Registry
System.Windows.Forms System.Windows.Forms.MessageBox
mscorlib System.Collections.Generic.List`1
mscorlib System.IO.IOException
PresentationFramework System.Windows.MessageBox
mscorlib System.Convert
mscorlib System.BitConverter
mscorlib System.Threading.Thread
Microsoft.Build.Utilities.v4.0 Microsoft.Build.Utilities.ToolLocationHelper
mscorlib System.Runtime.Serialization.ISerializable
mscorlib System.SByte
mscorlib System.Int16
mscorlib System.Int64
mscorlib System.Double
mscorlib System.Single
mscorlib System.UInt64
mscorlib System.UInt16
mscorlib System.DateTime
mscorlib System.Runtime.Serialization.IDeserializationCallback
mscorlib System.Threading.Monitor

!This program cannot be run in DOS mode.
.text
`.rsrc
@.reloc
~E0Wuo
$RE4Q.DU~^
a<R[_
mJ3YC
~lVBs
V&_`,m"C
8F~Ne
=jG2[e
Pp">VL
}5_ov
d}4#XSEp
Vlv`E8>
g[Z^O
C9)i0*
?F!`!S
2Uk#za
:bJZ#
5Z /S
MJ5Z
rZ T/s
A4oa8
a8Z N
~RZ O
"Wa8N
fnZ T_H`a8
b%&8E
xI%&8
D+a8y
Z 28f:a8
_z^Z '
[%&8f
\EHh%+
@Wa8h
w#>E8T
Z K;y*a8
qgZ .%
ippa%
>zD+Z
j_a8M
*G%Z
iv,a%
_Z kuUDa8
@.O48
^1MZ
W;{Z
ehXg%+
G1$%&8
'Dy8m
P(Z y
Z doe
XZ KAF
w.|+%+
~eM%+
v(2%&
Li&Za8
Ysd%&8t
'Dy8g
Ysd%&8T
_Ea8h
tka8\
#0YNZ
Z.y%&8-
qZ |1(Na8
JP2%&8
p*bR
Z FN<~a8
~Ea8`
*-a8
4Za8x
Z J?6sa8
,^Z X
yva85
=Z \#^
.EZ K
Z G*-a87
6z-5(
tZ Jp;sa80
C9r8k
}}a8Y
Z .8?
bZ AZ
),Ea%
7\qA+
'u.8B
Z [7iia8
Ll%&8
nKZ q
KZ 0UO
|]z8Z
mZ a8b
Z 8{R
KYGl(
/>a8v
lSj"Za8E
>S:Z N
?Z %@
RBw1
eW2a%
m%&8s
k%&8b
@uP%Z
N<a8c
pO%&8Q
Z )ar
s7a87
aHUiZ
#%ci%+
vma8w
Z N|D1a8p
'x?6%&8
16M%+
Vo%&8
zXLZ
$R3Z
dh$)Z
Z 8mg
"Z YBa
.Z \C
XZ 1~
>Z pn
AiG)(
*^a8"
)]SZ
u/Va%
u/Va%
zv%&8q
u/Va%
.<a8~
j/s%&8
+S)%+
a%&8N
>(na8^
X.JG8
MXN2Z
!Z !+
drZ AwXa8
4Z )?
iOj%&8
UO[%+
{7YZ
Z 3`s
Z X,n
&la8R
m[%&8m
|+fa8Z
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD
*cD0*cD1*cD2*cD3*cD4*cD5*cD6*cD7*cD8*cD9*cDP*cDQ*cDR*cDS*cDT*cDU*cDV*cDW*cDZ*cD[*cDp*cDq*cDr*cDs*cDt*cDu*cDv*cDw*cDz*cD{*cD
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
v`e9OV&
`.rsrc
@.reloc
.text
n DOS mode.
!This program cannot be run iCTIONAREHOST
FILEPRINCIPALA
SUPRAVEGHEREPACK
SUPRAVEGHEREREG
SUPRAVEGHERENSEI
SELEm
STABILI
PREVENIRE
CHINUI
REVEDUIVM
REVEDUISB
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
i/i!:
pM~{&
kuNb(w
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
{2Nv.
VI&56CzrxL
L0J#2
p,K`c
+MX"o`
S{Jq/hm
3YEe/
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
wu{~Z `L
OjKZ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z N=o
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
;Nz~Z
>Ca8z
Z %Bh
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Sca8B
3Z 'Z>ga8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
.aTZ
?;fa81
Z @F&
pZ (M
MZ F4
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
KZ \,
iZ }6F
Z wl*:a8
SOZ 7]z
vgDZ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
<NLZ
5:KZ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
N>a8'
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
= n-J
~ n-J
#O`Z
kca8}
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
ElZQH
hM4'6
)5{9
t*S*r
+wz_p
0J&V-HY
dNmTg9
qe12t
3n0mi
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
U'? )
M n-J
PZGZ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
tZ Oey
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
~iZ k'pAa8
1Z &D$)a8
Qi0Z
],F[Z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
.jua81
|E""Z 7
$Z wsd
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Aya8`
MZ kj$
eq3LZ
Z M 4na8#
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
KVca8
91zZ U4
bVZ l
DLaZ .c
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z 0U"
CLZ oMY(a8
zAZ *9
'.Z X
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
zZ 'e
<vSZ
bVa8N
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
:Z t#
^aa8`
{j&Z
&H.a8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
%$Rt~
P3<.P7
vk[{j6
]+J;BI
j00P<
LA b=
i,4zu
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
zZ *$
?'a8e
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
b Ua8
Z yr^2a8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
YmZ \
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
6M}a8
h_a8W
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
^:+8F
$]a8V
$#A/8
kZ !c
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
azZ 9)
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
p|=9Z
i-;a8+
Hla8m
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
VZ B<
Z KSO
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
V!9p3
~1HJY
uv]I3
6f!))
[\#]/
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
PVZ GhF
j?Ea8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
}5'a8
Z 18A
>Z g4
]Tvm
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
rR!'Z nG
9V-a8
%({a8
J8a8b
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
w$a8n
3XkZ z
,]}<8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
XeHZ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
5Z bS
:w8a8
we(s8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
P>)\8
} DFR
Z 8Jy
SZ jH
d$UZ Vi
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
W0 DFR
qcHoZ
*]8`
Z k_V
PLma8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
4vH^a%
R0Z z
n 4vH^a%
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
sMga8
2(.a8}
nZ @%4`a8$
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
:P]V1
?#kB+
C9%^J
E\?~%kX
G+v7t
.gD?;
%RU<7{
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
^p'Z
bNua8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
U:E=Z y
Z 9Ks3a8
_;Z ~\
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
dZ [K-
WgXZ X,
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
,Z hT
;M62Z C
iEZ W
R.Z s
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z yOl|a8W
kfa8"
Z 8q"
oUZ *jKya8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
lca8U
WMZ D
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
=1|a8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
DlzFa8
!CqHZ
}"a8A
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
.Z ix9;a8
Z Ka8
8"a8B
5/Z p\
5m/pZ _
;H^Z
Z ,3`
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
y IYo
\A5 IYo}a%
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
(]G~pO
s.yZ~
35O6`
gMs?IE
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
d IYo}a%
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
F,Jp8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
s,bRZ
D$G^Z
vq 8e
G?Z _
_wqD8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
[:Z v
+.Z *g
g<a8l
r\Z %
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
lfWZ {
K8a8L
IdIa8
t>a89
pK?m
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
CRa83
L]xt8
y9kZ *
Z 8#r
v+.8w
GK`a8:
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
;{9a8
6FZ ,
_Z TW
Z n6n
"Za8b
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
{"7Z jr
UZ -Nv
-ga8n
[Z -y]
.(a8=
Z #v7
7Z 45
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
^kZ3Z Y0
a8 Iej
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
_WbZW
zr;$>}
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
sKa8z
9Z w%c
_Ja8e
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
xczZ cSp?a8
$+a8b
OZ(a8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z gLQfa8:
Z L{9
Z c>X!a83
mwZ ]d
d\7Z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Ps}a8
V#a8D
Z ^mt7a8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
fV0n8
Z W$T
6tx+Z
YSZ $
dZ 8i
2Z \cQ
N10Z <
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z R=+
K4\TZ
#]2Z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
&dZ !
",Z .
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
X=6a84
o/Z h
Z )|U
L&a8T
@IZ W
Z $H 0a8x
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
<vha8'
ju38e
~*7Z
$?a84
oZ <}
<Z aL
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
wqxa8j
iZ E34
Z %G4
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
*1A\_
Zj){n
31%C?
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z }NQ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
]St;
ra%(Q
/ 7A\qa%
4 1g"pa%
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
|Z 4Y
D%va%
D%va%
9^Z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
zZ %5G^a8
E,O|8
oD3ia8
Z =R,wa8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Q"%} #
S17x8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
MEa83
2pZ F
,{YKZ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
C8,mZ
\YZ S
y_za8
DWha8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z EaFza8
Z f0/Ha8u
Z 2a6
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
)|!7Z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
9Jhna8
Z $D ^a8'
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
4~)4wd
]]o{}
Ex,w$
86f/2E
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
m1)IZ
lhKvZ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
GhLZ 6^*
p;5a8
P:<a8
81.a8
(sZ A
@F.a8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
UcHZ
-CTZ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
!Z *s
;2+a8
+)Z u0
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
*Ga8F
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z L^7
gDZ ?
W8a8Z
hD`a8
{Rra8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
_-Z E"Y
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z Y(R
IZ Q7
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
\Z >C
4ya8o
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
:.Z 0[B
82!8t
ZZ n
)\a8g
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
`(~MRWj1
d^_4#
QzmB+
t~{g5
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
O5I6Z +^
P-a8q
T9ta8G
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
udna87
2dta8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
~Z 0t
3Z *!"xa8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
bZ 0,[a8W
|7Ga86
a-N^Z 1
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z PO(
KDBM(
beZ $
Z S;1
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
zyZ R
d\+bZ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
CTa8M
:=a8,
Z N4,
T34;Z
mTq jLU
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
#Blob
v4.0.30319
#Strings
j1}Z KO?`a8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
E2'-_
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
:x b!
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
tmzJv
5&5J:
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
2=cd+
8%]?,
~VnhR|
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
# 5 B M e j y
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
beylo
RW,jw1.
SSnc|
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
m_ThreadStaticValue
get_GetInstance
rzt_Computer
get_Application
get_User
get_WebServices
rfbjectProvider
m_UserObjectProvider
m_MyWebServicesObjectProvider
geomputer
Microsoft.VisualBasic.Devices
m_ComputerObjectProvider
m_AppOsualBasic
ApplicationBase
Microsoft.VisualBasic.ApplicationServices
Microsoft.Vipz
Object
Stream
System.IO
.cctor
mscorlib
ValueType
System
.ctor
pzoVqEqRCjFYdJACNeMaCDAbIv.exe
<Module>
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
System.Windows.Forms
GetKeyboardLayout
user32
ToUnicodeEx
pbtec
GetModuleFileNameEx
GetWindowThreadProcessId
MapVirtualKey
EnumProcessModules
psapi.dll
powText
GetWindowTextLength
GetKeyboardState
GetForegroundWindow
StringBuilder
System.Text
GetWindvs
MoveFileExW
DeleteFile
kernel32
GetModuleFileNameA
IList`1
System.Collections.Generic
MemoryStream
ElapsedEventArgs
System.Timers
rawing
ImageCodecInfo
System.Drawing.Imaging
ImageFormat
pxdValue
get_kbHook
set_kbHook
System.DstInputInfo
user32.dll
get_ClipboardHook
set_ClipboardHook
WithEventslgd
GetLam
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
get_UserName
set_UserName
get_URL
set_URL
get_Browslnt
System.Security.Cryptography
lwharam
lParam
KHF_EXTENDED
LLKHF_INJECTED
LLKHF_ALTDOWN
LLKHF_UP
nCode
wPyUp
vkCode
scanCode
flags
dwExtraInfo
UnhookWindowsHookEx
add_KeyDown
remove_KeyDown
add_KeyUp
remove_Kee
SetWindowsHookEx
User32.dll
CallNextHookEx
BOARD_LL
HC_ACTION
WM_KEYDOWN
WM_KEYUP
WM_SYSKEYDOWN
WM_SYSKEYUP
DelegateAsyncState
EndInvoke
DelegateAsyncResult
Invoke
WH_KEYgetMethod
BeginInvoke
IAsyncResult
AsyncCallback
sender
DelegateCallback
WndProc
Message
Finalize
MulticastDelegate
TargetObject
TarardChain
SendMessage
add_Changed
remove_Changed
NativeWindow
SetClipboardViewer
ChangeClipboPassword
set_Password
Value
vsame
ProcessorName
AmountOfMemory
Password
get_PasswordHash
get_m
cbSize
dwTime
value__
OperatingSystemN
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Parse
Sequence
Integer
BitString
OctetString
ObjectIdentifier
At_Keys
FileName
Asn1Der
Parse
dataToyk
_Version
_Keys
KeyValuePair`2
get_Version
set_Version
get_Keys
Flock
BlackHawk
CyberFox
KMeleon
IceCat
PaleMoon
IceDragon
WaterFox
Mozilla
Postbox
Thunderbird
SeaMonk
rcqrvc
Dictionary`2
lbcodq
GetPrivateProfileString
BASE64
iItem3
List`1
set_Browser
Item1
Item2
Item3
iItem1
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
orElement
pPackageSid
LastModified
dwFlags
dwPropertiesCount
pPropertyElpszCredentialFriendlyName
pResourceElement
pIdentityElement
pAuthenticaturce
Identity
Authenticator
PackageSid
AppStart
AppEnd
SchemaId
ByteArray
TimeStamp
ProtectedArray
Attribute
Illegal
Resoc
Undefined
Boolean
Short
UnsignedShort
UnsignedInt
Double
StrinltGetItem
famerateVaults
VaultEnumerateItems
Vaui.dll
VaultCloseVault
VaultFree
VaultEnu
VaultOpenVault
vaultcl
mwdnyj
Rijndael
nezionCount
algorithm
password
iterations
objects
HmacAlgorithm
sSalt
Iteratht
set_Lenght
get_objects
set_objects
get_Data
set_Data
GetAsnString
1DerObject
_Type
_Lenght
_objects
_Data
get_Type
set_Type
get_Leng
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
BCRYPT_AUTH_TAG_LENGTH
BCRYPT_CHAINING_MODE
BCRYPT_KEY_DATA_BLOB
BCD_OAEP
BCRYPT_KEY_DATA_BLOB_MAGIC
BCRYPT_OBJECT_LENGTH
BCRYPT_CHAIN_MODE
Crc32
ModifyTime
Comment
ERROR_SUCCESS
BCRYPT_PAD_PSS
BCRYPT_PAFilenameInZip
FileSize
CompressedSize
HeaderOffset
FileOffset
HeaderSizekh
Store
Deflate
Method
DateTime
FileAccess
EncodeUTF8
ForceDeflating
ZipFileStream
RegCloseKey
RegQueryValueEx
vices
get_IsInvalid
ReleaseHandle
RegOpenKeyEx
Advapi32
SafeHandle
System.Runtime.InteropServmeInformationA
item_type
item_name
astable_name
root_num
sql_statement
GetVoluaj
baseName
row_id
content
fazbc
SchemaElementId
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
eratedCodeAttribute
System.CodeDom.Compiler
DebuggerHiddenAttribute
EditorBrowsableAttribute
System.ComponentModel
EditorBrowsableState
Genttribute
System.Runtime.CompilerServices
CompilationRelaxationsAttributez
pzoVqEqRCjFYdJACNeMaCDAbIv
GuidAttribute
RuntimeCompatibilityAt
bjement
pbLabel
cbLabel
cbAAD
cbData
Dispose
dwMinLength
dwMaxLength
dwIncrNonce
cbNonce
pbAuthData
cbAuthData
pbTag
cbTag
pbMacContext
cbMacContexkah
pszAlgId
cbSalt
IDisposable
dwInfoVersion
BCryptDecrypt
BCryptDestroyKey
BCryptEncrypt
BCryptSetProperty
BCryptImportKey
dorithmProvider
BCryptGetProperty
dacCryptOpenAlgorithmProvider
bcrypt.dll
BCryptCloseAlgS_FLAG
BCRYPT_INIT_AUTH_MODE_INFO_VERSION
STATUS_AUTH_TAG_MISMATCH
PT_AES_ALGORITHM
MS_PRIMITIVE_PROVIDER
BCRYPT_AUTH_MODE_CHAIN_CALL
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Environment
GetEnvironmentVariable
Concat
SystemInformation
get_Compu.Threading
Sleep
Timer
Process
Exception
RegistryKey
Microsoft.Win32
StaHandle
RuntimeTypeHandle
ToString
Activator
CreateInstance
Thread
System
get_Length
Write
GetObjectValue
Equals
GetHashCode
GetTypeFromet_IV
CreateDecryptor
ICryptoTransform
TransformFinalBlock
ReadBytelockCopy
Encoding
get_UTF8
GetString
Create
SymmetricAlgorithm
set_Key
sembly
System.Reflection
GetExecutingAssembly
GetCallingAssembly
Buffer
UInt32
RuntimeHelpers
InitializeArray
Array
RuntimeFieldHandle
System.Runtime.ConstrainedExecution
Consistency
ParamArrayAttributeanagedCodeSecurityAttribute
System.Security
ReliabilityContractAttributetedStateExceptionsAttribute
System.Runtime.ExceptionServices
SuppressUnmThreadAttribute
FlagsAttribute
DefaultValueAttribute
HandleProcessCorrupttribute
CompilerGeneratedAttribute
AccessedThroughPropertyAttribute
STAodel.Design
MyGroupCollectionAttribute
ComVisibleAttribute
ThreadStaticAsoft.VisualBasic.CompilerServices
HelpKeywordAttribute
System.ComponentMm
.Diagnostics
HideModuleNameAttribute
StandardModuleAttribute
Micro
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
(k[RJ
67Q0P
'"kI.D
~9.zH
1Y\SC<
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
sition
Quality
get_Jpeg
get_Param
FromImage
Image
CopyFromScreen
MaRectangle
Point
get_Screen
Screen
get_Bounds
get_Width
get_Height
set_Poget_Now
Graphics
Encoder
EncoderParameter
EncoderParameters
Bitmap
System.Text.RegularExpressions
Split
ToArray
ToBase64String
Replace
GetProcessesByName
GetImageEncoders
get_FormatID
get_Guid
op_Equality
Reion
Convert
ToDouble
Round
GetCurrentProcess
get_ProcessName
get_Id
eObject
MoveNext
GetPropertyValue
get_TotalPhysicalMemory
UInt64
ConversectEnumerator
get_OSFullName
GetEnumerator
get_Current
ManagementBasObjectSearcher
ManagementObject
ManagementObjectCollection
ManagementObjm.Net
GetTempPath
DownloadFile
ComputerInfo
System.Management
Managementue
Close
Conversions
ToBoolean
ToInteger
Application
WebClient
SysteCopy
SetAttributes
FileAttributes
Registry
CurrentUser
OpenSubKey
SetVal
get_FileName
ProjectData
SetProjectError
ClearProjectError
Delete
toryInfo
GetFullPath
GetProcesses
get_MainModule
ProcessModule_Interval
Operators
CompareString
Directory
Exists
CreateDirectory
Direcm
rName
get_Location
ElapsedEventHandler
add_Elapsed
set_Enabled
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
ablePath
get_Millisecond
Substring
StartsWith
HttpWebRequest
WebResponset_ContentDisposition
ContentDisposition
set_FileName
set_Port
get_Executllection`1
System.Collections.ObjectModel
set_EnableSsl
set_Host
geject
ICredentialsByHost
set_Body
get_Attachments
AttachmentCollection
set_MediaType
set_Name
set_IsBodyHtml
set_UseDefaultCredentials
set_Sub.Net.Mail
MailAddress
MailMessage
Attachment
ContentType
System.Net.Mimenumerable
AddRange
IEnumerable`1
AppendLine
Clear
SmtpClient
SystemSystem.Collections
Enumerator
Combine
GetFolderPath
SpecialFolder
IEreObjectLess
NotObject
ToGenericParameter
set_Item
get_Item
IEnumerator
LateIndexGet
ModObject
SubtractObject
DivideObject
MultiplyObject
CompaoServiceProvider
ICollection`1
get_Count
ConditionalCompareObjectGreaters
set_Method
GetBytes
ToLong
set_ContentLength
GetRequestStream
RNGCryptet
LateCall
LateSetComplex
NetworkCredential
set_Credentials
ICredentialContains
DeleteValue
FtpWebRequest
WebRequest
Int32
NewLateBinding
LateGDataString
AppendAllText
ServerComputer
get_Info
ConcatenateObject
SizeOf
get_TickCount
Monitor
Enter
ReadAllText
Escape
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
ances
get_Properties
PropertyDataCollection
PropertyData
Interaction
Getion
Group
Capture
get_Value
GetDirectories
ManagementClass
Empty
GetInstryName
GetFileName
Match
Matches
MatchCollection
get_Groups
GroupCollectNSTANCE
ToInt32
op_Inequality
GetRandomFileName
KeyCollection
GetDirectoet_WParam
get_LParam
GetType
PtrToStructure
GetModules
Module
GetHItor
FromBase64String
Delegate
Remove
CreateParams
CreateHandle
get_Msg
gvider
TripleDES
set_Mode
CipherMode
set_Padding
PaddingMode
CreateEncrypryptoServiceProvider
HashAlgorithm
ComputeHash
TripleDESCryptoServiceProrlKeyDown
get_AltKeyDown
get_CapsLock
get_ShiftKeyDown
UTF8Encoding
MD5CVersionInfo
get_ProductName
ToLower
ToUpper
get_Keyboard
Keyboard
get_CtocessById
IntPtr
get_Handle
op_Explicit
get_Capacity
FileVersionInfo
ClipboardProxy
Microsoft.VisualBasic.MyServices
GetText
EndsWith
GetPrt_ContentType
GetResponse
GetResponseStream
ReadToEnd
Flush
get_Clipboarpe
set_Timeout
set_AllowAutoRedirect
set_MaximumAutomaticRedirections
seet_UserAgent
ServicePointManager
set_SecurityProtocol
SecurityProtocolTym
treamReader
CredentialCache
get_DefaultCredentials
set_KeepAlive
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
GetCharCount
GetChars
BitConverter
ToInt16
ReadLine
get_EndOfStream
WaictEqual
ConditionalCompareObjectLess
Floor
Initialize
Decoder
GetDecoderbject
ToChar
Random
FileStream
FileMode
FileShare
ConditionalCompareObjed
FileSystem
FileAttribute
StringSplitOptions
ReadAllBytes
XorOaString
Format
AddObject
get_Chars
IndexOf
ToCharArray
Information
UBounNodes
get_ItemOf
XmlElement
get_InnerText
get_Unicode
Resize
UnescapeDatStr
ToByte
System.Xml
XmlDocument
XmlNodeList
XmlNode
get_Childscape
Environ
Strings
CompareMethod
StringType
MidStmtStr
InLines
get_Values
RijndaelManaged
ChangeType
Rfc2898DeriveBytes
LateSet
EetSubKeyNames
TrimEnd
get_Registry
RegistryProxy
ValueCollection
ReadAllincipal
ReadInt16
Int16
ReadInt32
PtrToStringUni
GetFiles
SearchOption
G_Size
GetValue
GetField
ReadIntPtr
SecurityIdentifier
System.Security.PrectGreaterEqual
ConditionalCompareObjectNotEqual
ToInt64
ContainsKey
getpe
FieldInfo
get_OSVersion
OperatingSystem
Version
ConditionalCompareObjlName
RegexOptions
get_Success
ProtectedData
Unprotect
DataProtectionScom
Append
IsNullOrEmpty
get_Default
GetParent
get_Parent
get_Ful
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
CryptographicException
get_Minute
get_Hour
get_Day
get_Month
get_Year
AllocHGlobal
FreeHGlobal
System.IO.Compression
CompressionMode
get_CanSeek
SetLength
get_Second
tWriteTime
DirectorySeparatorChar
LastIndexOf
get_Position
DeflateStreamt
get_FileSystem
FileSystemProxy
handle
InvalidOperationException
GetLasyArray
Int64
ToUInt16
CompareTo
LTrim
CreateProjectError
CreateObjecigEndianUnicode
Compare
ToULong
Subtract
Multiply
ToUInt64
Utils
CopAndObject
CompareObjectEqual
CompareObjectGreater
OrObject
Decimal
get_Bder
SHA1CryptoServiceProvider
HMACSHA1
HMACSHA256
CompareObjectNotEqual
System.Globalization
get_InvariantCulture
NumberStyles
IFormatProvi
Reverse
AppendFormat
get_HashSize
IsLittleEndian
get_Key
get_IV
CulturetringComparison
BinaryReader
OpenRead
get_BaseStream
get_ASCII
Trimndow
set_RedirectStandardOutput
set_UseShellExecute
get_StandardOutput
orExit
get_StartInfo
ProcessStartInfo
set_Arguments
set_CreateNoWi
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
ClipboardHook
kbHook
.SoapHttpClientProtocol
Create__Instance__
Dispose__Instance__
My.User
My.WebServices
4System.Web.Services.Protocols
MyTemplate
14.0.0.0
My.Computer
My.Application
d0e-883454d3b5a2
WrapNonExceptionThrows
$1b1db702-110a-4aad-9
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
86b:
dT['n
S<knk
Y-%U
hs?Jb
qI=QQu4
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
_CorExeMain
mscoree.dll
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmln.
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
dPrivileges>
</security>
</trustInfo>
</assembly>
tedExecutionLevel level="asInvoker" uiAccess="false"/>
</requestetedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
<requesxmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requesmblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<trustInfo m
"urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<asse
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
permanently!
NUMEROTAREFILE
DISPAREA
NUMEFILADISPARUTA
Disabled
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
al{yO*
SL9+c
RF7+u
`J\<~kGq]
xY'#E
Dv*ol
L7}`aX
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
L8/D&
`t1zWfH4
B:b,i
vK{,er%
9$ >]$
(DIAm
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
cQJN"*
3d4?jJJ
%*5#<sV-
T6Jf_^%L>
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
jX]+L#
%egmh`'
v$}/sl8<P
{sA5j
d|tGp
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
quNOH
0K7~J&
L&_+^
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
eI0MhnK
|M;zH
?z&jE9J
sjbq'
IJ$Tz
-`TE>0
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
1wO2)
D$O?,20
vAJ)d
|2)Ib
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
"=#5`
Gpgzd
(}[B^
yN5oC
SeqG:M
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
dJh2.il.w
,3%BQ
?/La-U
gAThK
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
/EC%e
<@y-zM
L8T*k
%n^xm
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
VIYQg
6N6'&
<\m`*
pBYMm
u< P-
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Pg9NY
yzk[8
6v](>9
8,M=D
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
S3*0hm3
wCWUF
OS:8Sa
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
>W{)1
]A7cI
n|xV~1
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
u%Tk_T>
~;CQM
Oy4\Q
HK+9.5
:o)a.
>;X^}I
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
h8\w'h
_is9A
z$4\p
Md}f>w
vfVI6A
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
xy{k*
/BAMHi
1ks%9a=
8y"jrwJ*
rW{-h
qlVf;.`
d"^+:v
yaHzM
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
@=Os'F
$<A>b{8
#h\Xw(
M.h/7
W^rA&n
D 3Ri{
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
!(yQ+zlv
S<{g`
|:Hpf
40[A$
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
3?ov;0V
y~%"/~T
qM_??s=
2PvT-
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
_CB"e
"E)]$
Ww$Hf
=XuVA!
(PW/m
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
\COeJ
*#tKP
s,EEt
'Sj::
{pAIUc/
0dOEE
sv.xK
Y CM7xN
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
L=GU|G
loRhC
j=f9R4^R
iI*ap
vo9Kt
g]'cF
g?V>%
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
C+EuR
{~a<$t
cWQ VB)zn
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Js9)^
7drZsT
Um1DK
:p d8
fTHl5
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
y9d.q
-R:DR
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
gyazow
l4<F,
6<R3+D
R$n<8K$
m7Q{~
kP2e{
c9's,"
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Zhf%q
7E-/p
a87Gp
%3-OO
Kdf=G
j&c3F0
"u2X>iVlP
W'u3"~)nb
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
s59G!
Jce~(
'K/#)
_h(9G4
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
lsZ lBO
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
vZ D\i
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
XIZ $>x
k _*![a%
Eqa8i
aWa8D
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
0Z 20
x7ta8+
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
d{FRt
@=0fT
\GtoV
q|P$j
PbI~.
Q_JK_
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
lgH Z Y
a8r F
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
\Ea8\
dSa8?
="1a8z
T'*a8
/Z %)
-d5:Z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
]9a8V
oca8/
pW$a8
:bZ S
P]a8=
v(a8w
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z d#xea8
|Z A<
%Z *W
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
rdGZ h
LZ `5i
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
+x\Z
ZZ at
;:Z &z[+a8z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
PN$Z ]
JpIzZ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
VR1a8P
p-Z e
EkUm
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QwE=Z a
}qrUZ \
<_%a8
|'ua8
'gVa8F
sY#Z Q"c
Z jGPta8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
@5KZ 6
E?Z K
(fma8
m:Ha8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
`u'B'
N=<YOozb
,L&;m
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
2LZqZ
Z _fPta8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
3mZ K
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
c,ha8R
d9 /_OFa%
+Z {)
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
aqhZ
H[zy
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Y+IZ J*
kPJ8{
(")]Z
@O+dZ ,l
/NAT
Z nCu
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
,TIa8:
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
W !Z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
&n#iZ
iq-Z
w~a8s
|}Z &
:Z * ?va8N
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
-EZ vWSIa8
z:Z p.
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
ysoHM}
:pU5o
N/#%P
!8bZ<.G*
yKVW*.
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
2\za8%
FtRZ
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
^?nrZ $
&eHa%
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
l/[a8P
d+^RZ g
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
* Z e
=Fa8A
Z {!p
Dm.Z
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z r?/ca8J
]'a8N
(HX8d
!*Xa8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
Z <tb
zZ ~3,
cHZ B_
qM=Z
xPZ }qf
[QsIa%
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
BOa8~
)bea8
Z \:J8a8
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
s(*a80
0Z _m
OAsZ
DEYZ qm
d8Z b
ID5Z F>B
ldZ 7
l:,Z 1
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
bZ %(Q
)Z W?Cpa82
;Z `,!
v*uZ
gZ hgw
tHZ v{
v4.0.30319
#Strings
#GUID
#Blob
Microsoft.Build.Utilities.v4.0
get_Scan0
IComparable`1
IEnumerable`1
ICollection`1
IList`1
kernel32
Microsoft.Win32
ReadUInt32
ToUInt32
ReadInt32
ToInt32
Dictionary`2
ReadUInt64
ReadInt64
ReadUInt16
ReadInt16
ToInt16
get_UTF8
<Module>
cEVVUEwqFsUHTWefJBsfbIyNvvkgA
System.IO
value__
lelea
BitmapData
mscorlib
System.Collections.Generic
GetProcessById
Thread
SHA256Managed
Synchronized
ReadToEnd
Append
UriKind
DefinePInvokeMethod
GetMethod
Replace
StackTrace
CreateInstance
get_ExitCode
FileMode
ImageLockMode
CompressionMode
Image
EndInvoke
BeginInvoke
ICloneable
IStructuralComparable
IEnumerable
IDisposable
Hashtable
ISerializable
IConvertible
ReadDouble
RuntimeFieldHandle
RuntimeTypeHandle
GetTypeFromHandle
set_SafeWaitHandle
Rectangle
ReadSingle
DeleteFile
get_Module
DefineDynamicModule
get_MainModule
ProcessModule
get_FileName
GetRandomFileName
get_ModuleName
GetProcessesByName
AssemblyName
StackFrame
DateTime
WaitOne
get_NewLine
Combine
get_SecurityZone
ValueType
GetType
GetElementType
FileShare
System.Core
get_CurrentCulture
MethodBase
ApplicationSettingsBase
Close
Dispose
MulticastDelegate
EditorBrowsableState
Delete
Write
STAThreadAttribute
CompilerGeneratedAttribute
GuidAttribute
GeneratedCodeAttribute
DebuggerNonUserCodeAttribute
EditorBrowsableAttribute
ComVisibleAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
TargetFrameworkAttribute
SecuritySafeCriticalAttribute
SuppressIldasmAttribute
AssemblyFileVersionAttribute
AssemblyConfigurationAttribute
AssemblyDescriptionAttribute
ThemeInfoAttribute
FlagsAttribute
CompilationRelaxationsAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyCompanyAttribute
RuntimeCompatibilityAttribute
set_UseShellExecute
ReadSByte
ReadByte
GetValue
lelea.exe
get_Size
SizeOf
System.Threading
Encoding
System.Drawing.Imaging
System.Runtime.Versioning
ReadString
ToString
GetString
System.Drawing
ComputeHash
GetFullPath
GetTempPath
GetFolderPath
get_Length
AsyncCallback
IDeserializationCallback
PresentationFramework
GetPathToDotNetFramework
Marshal
ReadDecimal
System.ComponentModel
advapi32.dll
kernel32.dll
System.Xaml
UserControl
CreateFromUrl
FileStream
DeflateStream
MemoryStream
get_Item
set_Item
System
HashAlgorithm
Random
ReadBoolean
AppDomain
get_CurrentDomain
MessageBoxIcon
GetFileNameWithoutExtension
TargetDotNetFrameworkVersion
System.IO.Compression
Application
get_Location
ResourceDictionaryLocation
System.Configuration
System.Globalization
System.Runtime.Serialization
System.Reflection
ManagementObjectCollection
op_Addition
set_Position
CallingConvention
IOException
ArgumentNullException
InvalidOperationException
get_InnerException
StringComparison
Intern
CopyTo
MethodInfo
CultureInfo
MemberInfo
set_StartInfo
ProcessStartInfo
Bitmap
Sleep
get_Bmp
System.Windows.Markup
System.Linq
ReadChar
ToChar
StreamReader
TextReader
BinaryReader
IFormatProvider
MethodBuilder
ModuleBuilder
StringBuilder
AssemblyBuilder
SpecialFolder
GetBuffer
ResourceManager
ManagementObjectSearcher
System.CodeDom.Compiler
ToolLocationHelper
CreateProcessAsUser
Enter
BitConverter
ToLower
ManagementObjectEnumerator
GetEnumerator
.ctor
.cctor
IComponentConnector
Monitor
IntPtr
System.Diagnostics
System.Runtime.InteropServices
System.Runtime.CompilerServices
System.Resources
q^vWG)ENl1my|A8DN:Gu0`O6.resources
lelea.g.resources
b98f0022c98938443393c9e484dc7336.Resources.resources
Microsoft.Build.Utilities
ExpandEnvironmentVariables
Microsoft.Win32.SafeHandles
GetFrames
GetProcesses
MethodAttributes
MethodImplAttributes
ReadBytes
WriteAllBytes
GetBytes
NextBytes
SetImplementationFlags
ResolveEventArgs
System.Threading.Tasks
Equals
System.Windows.Controls
System.Windows.Forms
Contains
System.Collections
CreateGlobalFunctions
CallingConventions
MessageBoxButtons
get_Chars
RuntimeHelpers
FileAccess
AssemblyBuilderAccess
GetCurrentProcess
get_BaseAddress
LockBits
UnlockBits
Exists
System.Windows
Concat
AppendFormat
ImageFormat
PixelFormat
ManagementBaseObject
GetObject
Connect
CharSet
op_Explicit
System.Reflection.Emit
Default
IAsyncResult
DialogResult
MessageBoxResult
ToUpperInvariant
System.Management
Environment
LoadComponent
InitializeComponent
get_Current
Point
get_Count
Start
Insert
Convert
FailFast
set_RedirectStandardOutput
MoveNext
System.Text
WriteAllText
set_CreateNoWindow
CopyFileEx
MessageBox
Delay
InitializeArray
ToArray
ToCharArray
System.Security.Policy
ContainsKey
System.Security.Cryptography
get_Assembly
DefineDynamicAssembly
GetEntryAssembly
BlockCopy
FromBinary
Registry
set_Capacity
op_Equality
System.Security
IsNullOrEmpty
b^4DFq~6j2A$&r8B
X$x92aH%#N5e6mA^sJ
WrapNonExceptionThrows
9d$TtD3*6/PzS7f)b
Copyright
2012 - 2019
5.7.9.11
.NETFramework,Version=v4.6
FrameworkDisplayName
.NET Framework 4.6
4b*PB%8d7Jp#y
$315e2352-410a-47d1-9f66-cd3199603896
PresentationBuildTasks
4.0.0.0
3System.Resources.Tools.StronglyTypedResourceBuilder
16.0.0.0
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
11.0.0.0
_CorExeMain
mscoree.dll
1AAAh===
AAAx111N
&M**D}
/HH|f
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
02d8f52b1cb697a4b8b52ef3069f0ba40
02d8f52b1cb697a4b8b52ef3069f0ba41
02d8f52b1cb697a4b8b52ef3069f0ba410
02d8f52b1cb697a4b8b52ef3069f0ba4100
02d8f52b1cb697a4b8b52ef3069f0ba4101
02d8f52b1cb697a4b8b52ef3069f0ba4102
02d8f52b1cb697a4b8b52ef3069f0ba4103
02d8f52b1cb697a4b8b52ef3069f0ba4104
02d8f52b1cb697a4b8b52ef3069f0ba4105
02d8f52b1cb697a4b8b52ef3069f0ba4106
02d8f52b1cb697a4b8b52ef3069f0ba4107
02d8f52b1cb697a4b8b52ef3069f0ba4108
02d8f52b1cb697a4b8b52ef3069f0ba4109
02d8f52b1cb697a4b8b52ef3069f0ba411
02d8f52b1cb697a4b8b52ef3069f0ba4110
02d8f52b1cb697a4b8b52ef3069f0ba4111
02d8f52b1cb697a4b8b52ef3069f0ba4112
02d8f52b1cb697a4b8b52ef3069f0ba4113
02d8f52b1cb697a4b8b52ef3069f0ba4114
02d8f52b1cb697a4b8b52ef3069f0ba4115
02d8f52b1cb697a4b8b52ef3069f0ba4116
02d8f52b1cb697a4b8b52ef3069f0ba4117
02d8f52b1cb697a4b8b52ef3069f0ba4118
02d8f52b1cb697a4b8b52ef3069f0ba4119
02d8f52b1cb697a4b8b52ef3069f0ba412
02d8f52b1cb697a4b8b52ef3069f0ba4120
02d8f52b1cb697a4b8b52ef3069f0ba4121
02d8f52b1cb697a4b8b52ef3069f0ba4122
02d8f52b1cb697a4b8b52ef3069f0ba4123
02d8f52b1cb697a4b8b52ef3069f0ba4124
02d8f52b1cb697a4b8b52ef3069f0ba4125
02d8f52b1cb697a4b8b52ef3069f0ba4126
02d8f52b1cb697a4b8b52ef3069f0ba4127
02d8f52b1cb697a4b8b52ef3069f0ba4128
02d8f52b1cb697a4b8b52ef3069f0ba4129
02d8f52b1cb697a4b8b52ef3069f0ba413
02d8f52b1cb697a4b8b52ef3069f0ba4130
02d8f52b1cb697a4b8b52ef3069f0ba4131
02d8f52b1cb697a4b8b52ef3069f0ba4132
02d8f52b1cb697a4b8b52ef3069f0ba4133
02d8f52b1cb697a4b8b52ef3069f0ba4134
02d8f52b1cb697a4b8b52ef3069f0ba4135
02d8f52b1cb697a4b8b52ef3069f0ba4136
02d8f52b1cb697a4b8b52ef3069f0ba4137
02d8f52b1cb697a4b8b52ef3069f0ba4138
02d8f52b1cb697a4b8b52ef3069f0ba4139
02d8f52b1cb697a4b8b52ef3069f0ba414
02d8f52b1cb697a4b8b52ef3069f0ba4140
02d8f52b1cb697a4b8b52ef3069f0ba4141
02d8f52b1cb697a4b8b52ef3069f0ba4142
02d8f52b1cb697a4b8b52ef3069f0ba4143
02d8f52b1cb697a4b8b52ef3069f0ba4144
02d8f52b1cb697a4b8b52ef3069f0ba4145
02d8f52b1cb697a4b8b52ef3069f0ba4146
02d8f52b1cb697a4b8b52ef3069f0ba4147
02d8f52b1cb697a4b8b52ef3069f0ba4148
02d8f52b1cb697a4b8b52ef3069f0ba4149
02d8f52b1cb697a4b8b52ef3069f0ba415
02d8f52b1cb697a4b8b52ef3069f0ba4150
02d8f52b1cb697a4b8b52ef3069f0ba4151
02d8f52b1cb697a4b8b52ef3069f0ba4152
02d8f52b1cb697a4b8b52ef3069f0ba4153
02d8f52b1cb697a4b8b52ef3069f0ba4154
02d8f52b1cb697a4b8b52ef3069f0ba4155
02d8f52b1cb697a4b8b52ef3069f0ba4156
02d8f52b1cb697a4b8b52ef3069f0ba4157
02d8f52b1cb697a4b8b52ef3069f0ba4158
02d8f52b1cb697a4b8b52ef3069f0ba4159
02d8f52b1cb697a4b8b52ef3069f0ba416
02d8f52b1cb697a4b8b52ef3069f0ba4160
02d8f52b1cb697a4b8b52ef3069f0ba4161
02d8f52b1cb697a4b8b52ef3069f0ba4162
02d8f52b1cb697a4b8b52ef3069f0ba4163
02d8f52b1cb697a4b8b52ef3069f0ba4164
02d8f52b1cb697a4b8b52ef3069f0ba4165
02d8f52b1cb697a4b8b52ef3069f0ba4166
02d8f52b1cb697a4b8b52ef3069f0ba4167
02d8f52b1cb697a4b8b52ef3069f0ba4168
02d8f52b1cb697a4b8b52ef3069f0ba4169
02d8f52b1cb697a4b8b52ef3069f0ba417
02d8f52b1cb697a4b8b52ef3069f0ba4170
02d8f52b1cb697a4b8b52ef3069f0ba4171
02d8f52b1cb697a4b8b52ef3069f0ba4172
02d8f52b1cb697a4b8b52ef3069f0ba4173
02d8f52b1cb697a4b8b52ef3069f0ba4174
02d8f52b1cb697a4b8b52ef3069f0ba4175
02d8f52b1cb697a4b8b52ef3069f0ba4176
02d8f52b1cb697a4b8b52ef3069f0ba4177
02d8f52b1cb697a4b8b52ef3069f0ba4178
02d8f52b1cb697a4b8b52ef3069f0ba4179
02d8f52b1cb697a4b8b52ef3069f0ba418
02d8f52b1cb697a4b8b52ef3069f0ba4180
02d8f52b1cb697a4b8b52ef3069f0ba4181
02d8f52b1cb697a4b8b52ef3069f0ba4182
02d8f52b1cb697a4b8b52ef3069f0ba4183
02d8f52b1cb697a4b8b52ef3069f0ba4184
02d8f52b1cb697a4b8b52ef3069f0ba4185
02d8f52b1cb697a4b8b52ef3069f0ba4186
02d8f52b1cb697a4b8b52ef3069f0ba4187
02d8f52b1cb697a4b8b52ef3069f0ba4188
02d8f52b1cb697a4b8b52ef3069f0ba4189
02d8f52b1cb697a4b8b52ef3069f0ba419
02d8f52b1cb697a4b8b52ef3069f0ba4190
02d8f52b1cb697a4b8b52ef3069f0ba4191
02d8f52b1cb697a4b8b52ef3069f0ba4192
02d8f52b1cb697a4b8b52ef3069f0ba4193
02d8f52b1cb697a4b8b52ef3069f0ba4194
02d8f52b1cb697a4b8b52ef3069f0ba4195
02d8f52b1cb697a4b8b52ef3069f0ba4196
02d8f52b1cb697a4b8b52ef3069f0ba4197
02d8f52b1cb697a4b8b52ef3069f0ba4198
02d8f52b1cb697a4b8b52ef3069f0ba4199
02d8f52b1cb697a4b8b52ef3069f0ba42
02d8f52b1cb697a4b8b52ef3069f0ba420
02d8f52b1cb697a4b8b52ef3069f0ba4200
02d8f52b1cb697a4b8b52ef3069f0ba4201
02d8f52b1cb697a4b8b52ef3069f0ba4202
02d8f52b1cb697a4b8b52ef3069f0ba4203
02d8f52b1cb697a4b8b52ef3069f0ba4204
02d8f52b1cb697a4b8b52ef3069f0ba4205
02d8f52b1cb697a4b8b52ef3069f0ba4206
02d8f52b1cb697a4b8b52ef3069f0ba4207
02d8f52b1cb697a4b8b52ef3069f0ba4208
02d8f52b1cb697a4b8b52ef3069f0ba4209
02d8f52b1cb697a4b8b52ef3069f0ba421
02d8f52b1cb697a4b8b52ef3069f0ba4210
02d8f52b1cb697a4b8b52ef3069f0ba4211
02d8f52b1cb697a4b8b52ef3069f0ba4212
02d8f52b1cb697a4b8b52ef3069f0ba4213
02d8f52b1cb697a4b8b52ef3069f0ba4214
02d8f52b1cb697a4b8b52ef3069f0ba4215
02d8f52b1cb697a4b8b52ef3069f0ba4216
02d8f52b1cb697a4b8b52ef3069f0ba4217
02d8f52b1cb697a4b8b52ef3069f0ba4218
02d8f52b1cb697a4b8b52ef3069f0ba4219
02d8f52b1cb697a4b8b52ef3069f0ba422
02d8f52b1cb697a4b8b52ef3069f0ba4220
02d8f52b1cb697a4b8b52ef3069f0ba4221
02d8f52b1cb697a4b8b52ef3069f0ba4222
02d8f52b1cb697a4b8b52ef3069f0ba4223
02d8f52b1cb697a4b8b52ef3069f0ba4224
02d8f52b1cb697a4b8b52ef3069f0ba4225
02d8f52b1cb697a4b8b52ef3069f0ba4226
02d8f52b1cb697a4b8b52ef3069f0ba4227
02d8f52b1cb697a4b8b52ef3069f0ba4228
02d8f52b1cb697a4b8b52ef3069f0ba4229
02d8f52b1cb697a4b8b52ef3069f0ba423
02d8f52b1cb697a4b8b52ef3069f0ba4230
02d8f52b1cb697a4b8b52ef3069f0ba4231
02d8f52b1cb697a4b8b52ef3069f0ba4232
02d8f52b1cb697a4b8b52ef3069f0ba4233
02d8f52b1cb697a4b8b52ef3069f0ba4234
02d8f52b1cb697a4b8b52ef3069f0ba4235
02d8f52b1cb697a4b8b52ef3069f0ba4236
02d8f52b1cb697a4b8b52ef3069f0ba4237
02d8f52b1cb697a4b8b52ef3069f0ba4238
02d8f52b1cb697a4b8b52ef3069f0ba4239
02d8f52b1cb697a4b8b52ef3069f0ba424
02d8f52b1cb697a4b8b52ef3069f0ba4240
02d8f52b1cb697a4b8b52ef3069f0ba4241
02d8f52b1cb697a4b8b52ef3069f0ba4242
02d8f52b1cb697a4b8b52ef3069f0ba4243
02d8f52b1cb697a4b8b52ef3069f0ba4244
02d8f52b1cb697a4b8b52ef3069f0ba4245
02d8f52b1cb697a4b8b52ef3069f0ba425
02d8f52b1cb697a4b8b52ef3069f0ba426
02d8f52b1cb697a4b8b52ef3069f0ba427
02d8f52b1cb697a4b8b52ef3069f0ba428
02d8f52b1cb697a4b8b52ef3069f0ba429
02d8f52b1cb697a4b8b52ef3069f0ba43
02d8f52b1cb697a4b8b52ef3069f0ba430
02d8f52b1cb697a4b8b52ef3069f0ba431
02d8f52b1cb697a4b8b52ef3069f0ba432
02d8f52b1cb697a4b8b52ef3069f0ba433
02d8f52b1cb697a4b8b52ef3069f0ba434
02d8f52b1cb697a4b8b52ef3069f0ba435
02d8f52b1cb697a4b8b52ef3069f0ba436
02d8f52b1cb697a4b8b52ef3069f0ba437
02d8f52b1cb697a4b8b52ef3069f0ba438
02d8f52b1cb697a4b8b52ef3069f0ba439
02d8f52b1cb697a4b8b52ef3069f0ba44
02d8f52b1cb697a4b8b52ef3069f0ba440
02d8f52b1cb697a4b8b52ef3069f0ba441
02d8f52b1cb697a4b8b52ef3069f0ba442
02d8f52b1cb697a4b8b52ef3069f0ba443
02d8f52b1cb697a4b8b52ef3069f0ba444
02d8f52b1cb697a4b8b52ef3069f0ba445
02d8f52b1cb697a4b8b52ef3069f0ba446
02d8f52b1cb697a4b8b52ef3069f0ba447
02d8f52b1cb697a4b8b52ef3069f0ba448
02d8f52b1cb697a4b8b52ef3069f0ba449
02d8f52b1cb697a4b8b52ef3069f0ba45
02d8f52b1cb697a4b8b52ef3069f0ba450
02d8f52b1cb697a4b8b52ef3069f0ba451
02d8f52b1cb697a4b8b52ef3069f0ba452
02d8f52b1cb697a4b8b52ef3069f0ba453
02d8f52b1cb697a4b8b52ef3069f0ba454
02d8f52b1cb697a4b8b52ef3069f0ba455
02d8f52b1cb697a4b8b52ef3069f0ba456
02d8f52b1cb697a4b8b52ef3069f0ba457
02d8f52b1cb697a4b8b52ef3069f0ba458
02d8f52b1cb697a4b8b52ef3069f0ba459
02d8f52b1cb697a4b8b52ef3069f0ba46
02d8f52b1cb697a4b8b52ef3069f0ba460
02d8f52b1cb697a4b8b52ef3069f0ba461
02d8f52b1cb697a4b8b52ef3069f0ba462
02d8f52b1cb697a4b8b52ef3069f0ba463
02d8f52b1cb697a4b8b52ef3069f0ba464
02d8f52b1cb697a4b8b52ef3069f0ba465
02d8f52b1cb697a4b8b52ef3069f0ba466
02d8f52b1cb697a4b8b52ef3069f0ba467
02d8f52b1cb697a4b8b52ef3069f0ba468
02d8f52b1cb697a4b8b52ef3069f0ba469
02d8f52b1cb697a4b8b52ef3069f0ba47
02d8f52b1cb697a4b8b52ef3069f0ba470
02d8f52b1cb697a4b8b52ef3069f0ba471
02d8f52b1cb697a4b8b52ef3069f0ba472
02d8f52b1cb697a4b8b52ef3069f0ba473
02d8f52b1cb697a4b8b52ef3069f0ba474
02d8f52b1cb697a4b8b52ef3069f0ba475
02d8f52b1cb697a4b8b52ef3069f0ba476
02d8f52b1cb697a4b8b52ef3069f0ba477
02d8f52b1cb697a4b8b52ef3069f0ba478
02d8f52b1cb697a4b8b52ef3069f0ba479
02d8f52b1cb697a4b8b52ef3069f0ba48
02d8f52b1cb697a4b8b52ef3069f0ba480
02d8f52b1cb697a4b8b52ef3069f0ba481
02d8f52b1cb697a4b8b52ef3069f0ba482
02d8f52b1cb697a4b8b52ef3069f0ba483
02d8f52b1cb697a4b8b52ef3069f0ba484
02d8f52b1cb697a4b8b52ef3069f0ba485
02d8f52b1cb697a4b8b52ef3069f0ba486
02d8f52b1cb697a4b8b52ef3069f0ba487
02d8f52b1cb697a4b8b52ef3069f0ba488
02d8f52b1cb697a4b8b52ef3069f0ba489
02d8f52b1cb697a4b8b52ef3069f0ba49
02d8f52b1cb697a4b8b52ef3069f0ba490
02d8f52b1cb697a4b8b52ef3069f0ba491
02d8f52b1cb697a4b8b52ef3069f0ba492
02d8f52b1cb697a4b8b52ef3069f0ba493
02d8f52b1cb697a4b8b52ef3069f0ba494
02d8f52b1cb697a4b8b52ef3069f0ba495
02d8f52b1cb697a4b8b52ef3069f0ba496
02d8f52b1cb697a4b8b52ef3069f0ba497
02d8f52b1cb697a4b8b52ef3069f0ba498
02d8f52b1cb697a4b8b52ef3069f0ba499
8a4ba5090e81a2157c494aa483395b00
mglxocq
4/657585:9;:<:>=?>@>BACADAEA
"!'&(&)(*&+&,&-&.&0/1/2/3/
now database format
ComputeHash
Leh, version 2, native byte-order)
Unk1561
Berkelet DB
00000002
1.85 (Has;
0006xt
uvwxyz
KLMNOPQRSTUVWXYZabcdefghijklmnopqrst
+-0123456789ABCDEFGHIJ
logins
.0.0.0
Assembly Version
0.0.0.0
CNeMaCDAbIv.exe
ProductVersion
OriginalFilename
pzoVqEqRCjFYdJACNeMaCDAbIv.exe
LegalCopyright
.0.0
InternalName
pzoVqEqRCjFYdJAleDescription
FileVersion
StringFileInfo
000004b0
VarFileInfo
Translation
ERSION_INFO
1!1%1
#"&%.-
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
Comments
X$x92aH%#N5e6mA^sJ
CompanyName
9d$TtD3*6/PzS7f)b
FileDescription
b^4DFq~6j2A$&r8B
FileVersion
5.7.9.11
InternalName
GGT53.exe
LegalCopyright
Copyright
2012 - 2019
OriginalFilename
GGT53.exe
ProductName
b^4DFq~6j2A$&r8B
ProductVersion
5.7.9.11
Assembly Version
0.0.0.0
No antivirus signatures available.
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.1.5 137 192.168.1.255 137
192.168.1.5 54312 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

Timestamp Source IP Source Port Destination IP Destination Port Protocol GID SID REV Signature Category Severity
2020-06-30 09:27:20.168 192.168.1.5 [VT] 49175 13.107.42.23 [VT] 443 TCP 1 2028397 2 ET JA3 Hash - Possible Malware - Various Malspam/RigEK Unknown Traffic 3

Suricata TLS

Timestamp Source IP Source Port Destination IP Destination Port Subject Issuer Fingerprint Version
2020-06-30 09:27:20.289 192.168.1.5 [VT] 49175 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.1.5 49175 13.107.42.23 443 3b483d0b34894548b602e8d18cdc24c5 unknown
Sorry! No dropped files.
Sorry! No CAPE files.
Process Name 3fPRS.exe
PID 5232
Dump Size 281600 bytes
Module Path C:\Users\Rebecca\AppData\Local\Temp\3fPRS.exe
Type PE image: 32-bit executable
PE timestamp 2020-06-15 00:47:22
MD5 13ee831440315c02cafcea721573f7ec
SHA1 3f6a86637e64b8e01f35aabe06718701d48d6da0
SHA256 34c8a10e0c87db717a7cb03fc309815b3933862e6e9dece36971c97415faf541
CRC32 6AE5B364
Ssdeep 6144:HMinytvkiX+X4g0cmuFEMN7PPlYr9mXAo4:sLX+X4mVN7er
CAPE Yara
  • AgentTeslaV2 Payload - Author: ditekshen
Dump Filename 34c8a10e0c87db717a7cb03fc309815b3933862e6e9dece36971c97415faf541
Download Download Zip
Defense Evasion Privilege Escalation
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1055 - Process Injection
    • Signature - InjectionInterProcess
  • T1055 - Process Injection
    • Signature - InjectionInterProcess

    Processing ( 7.260999999999999 seconds )

    • 5.316 Suricata
    • 0.546 BehaviorAnalysis
    • 0.508 Static
    • 0.259 CAPE
    • 0.189 VirusTotal
    • 0.117 static_dotnet
    • 0.095 AnalysisInfo
    • 0.068 TargetInfo
    • 0.047 NetworkAnalysis
    • 0.045 Deduplicate
    • 0.041 ProcDump
    • 0.018 Strings
    • 0.007 peid
    • 0.005 Debug

    Signatures ( 0.5390000000000001 seconds )

    • 0.09 antiav_detectreg
    • 0.036 infostealer_ftp
    • 0.031 territorial_disputes_sigs
    • 0.026 masquerade_process_name
    • 0.022 infostealer_im
    • 0.02 antiav_detectfile
    • 0.018 antianalysis_detectreg
    • 0.012 decoy_document
    • 0.012 stealth_timeout
    • 0.012 infostealer_bitcoin
    • 0.011 api_spamming
    • 0.011 ransomware_files
    • 0.01 antianalysis_detectfile
    • 0.01 antivm_vbox_keys
    • 0.01 infostealer_mail
    • 0.009 Unpacker
    • 0.008 Doppelganging
    • 0.008 InjectionCreateRemoteThread
    • 0.008 NewtWire Behavior
    • 0.008 antivm_vbox_files
    • 0.007 injection_createremotethread
    • 0.007 ransomware_extensions
    • 0.006 antivm_vmware_keys
    • 0.006 qulab_files
    • 0.005 antidebug_guardpages
    • 0.005 exploit_heapspray
    • 0.005 injection_runpe
    • 0.005 antivm_parallels_keys
    • 0.005 antivm_xen_keys
    • 0.005 geodo_banking_trojan
    • 0.005 predatorthethief_files
    • 0.004 InjectionProcessHollowing
    • 0.004 antiemu_wine_func
    • 0.003 InjectionInterProcess
    • 0.003 antivm_generic_disk
    • 0.003 betabot_behavior
    • 0.003 guloader_apis
    • 0.003 dynamic_function_loading
    • 0.003 exec_crash
    • 0.003 kibex_behavior
    • 0.003 malicious_dynamic_function_loading
    • 0.003 persistence_autorun
    • 0.003 stack_pivot
    • 0.003 antidbg_devices
    • 0.003 antivm_generic_diskreg
    • 0.003 antivm_vmware_files
    • 0.003 antivm_vpc_keys
    • 0.002 antivm_generic_scsi
    • 0.002 antivm_vbox_libs
    • 0.002 dyre_behavior
    • 0.002 encrypted_ioc
    • 0.002 infostealer_browser_password
    • 0.002 kovter_behavior
    • 0.002 mimics_filetime
    • 0.002 network_tor
    • 0.002 reads_self
    • 0.002 stealth_file
    • 0.002 virus
    • 0.002 masslogger_files
    • 0.001 antiav_avast_libs
    • 0.001 antidbg_windows
    • 0.001 antivm_generic_services
    • 0.001 bootkit
    • 0.001 lsass_credential_dumping
    • 0.001 exploit_getbasekerneladdress
    • 0.001 exploit_gethaldispatchtable
    • 0.001 hancitor_behavior
    • 0.001 hawkeye_behavior
    • 0.001 infostealer_browser
    • 0.001 kazybot_behavior
    • 0.001 OrcusRAT Behavior
    • 0.001 shifu_behavior
    • 0.001 tinba_behavior
    • 0.001 vawtrak_behavior
    • 0.001 antivm_xen_keys
    • 0.001 antivm_hyperv_keys
    • 0.001 antivm_vbox_devices
    • 0.001 ketrican_regkeys
    • 0.001 browser_security
    • 0.001 bypass_firewall
    • 0.001 codelux_behavior
    • 0.001 darkcomet_regkeys
    • 0.001 disables_browser_warn
    • 0.001 azorult_mutexes
    • 0.001 revil_mutexes
    • 0.001 limerat_regkeys
    • 0.001 obliquerat_files
    • 0.001 rat_pcclient
    • 0.001 recon_fingerprint
    • 0.001 sniffer_winpcap
    • 0.001 targeted_flame

    Reporting ( 12.575 seconds )

    • 10.186 BinGraph
    • 1.519 JsonDump
    • 0.867 MITRE_TTPS
    • 0.003 PCAP2CERT