MalScore
100/100
MalFamily
Malicious

windows.exe

Is DLL Packer Anti Debug Anti VM Signed XOR AntiVirus 21/68 Related 2617
File details Download PDF Report
File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
File size: 369.00 KB (377856 bytes)
Compile time: 2018-07-11 06:35:41
MD5: 742b756f815fffd67c1d0a12978c6daa
SHA1: fb69409be9afeecff823ef7d7cae4c482aa45e5b
SHA256: cfedea428e09f1af3dfc8119e0d88aa30da2f4e92c0e560ecdb51beef531d850
Import hash: f34d5f2d4577ed6d9ceec516c1f5a744
Sections 4 .text .sdata .rsrc .reloc
Directories 3 import resource relocation
First submission: 2018-07-12 11:51:06
Last submission: 2018-07-12 11:51:06
Filename detected: - windows.exe (1)
URL file hosting
hXXp://borayplastik.com/wp-includes/windows.exeVirusTotal
Antivirus Report
Report Date Detection Ratio Permalink Update
2018-07-11 14:34:45 [21/68] VirusTotal
PE Sections 2 suspicious
Name VAddress VSize Size MD5 SHA1
.text 0x2000 0x1e304 123904 d4ddad7a752dd26680fe8342e038042c 5befd5b6080aa7b119bf1f3c0dbc5cf49d86177f
.sdata 0x22000 0x5b8 1536 bf64d89b5c81076268d7a069502042a2 203ccb837f8e615cca31a2b01e0f9549f19814b7
.rsrc 0x24000 0x24278 148480 889edbebc811a983302761dee4d4ee19 3eb99e7765897a8d8683f0142ccc0d0e372b44f6
.reloc 0x4a000 0xc 512 d228e66073d4d4805f005a50611d0ac4 b1a5ba26251fe95d084d3bd3dfb3d6e2bd6df635
PE Resources
Name Offset Size Language Sublanguage Data
RT_ICON 0x283d0 16936 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_GROUP_ICON 0x2c5f8 20 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_VERSION 0x2c60c 524 LANG_ENGLISH SUBLANG_ENGLISH_US
RT_HTML 0x2c818 112755 LANG_GERMAN SUBLANG_GERMAN
RT_MANIFEST 0x4808c 490 LANG_NEUTRAL SUBLANG_NEUTRAL
  • API Alert
  • Anti Debug
Meta Info
LegalCopyright: pfkMfmHM
InternalName: VuZVgg21
FileDescription: ey638Vr4
Translation: 0x0409 0x04b0
OriginalFilename: LyVRFdD2.exe
ProductName: oD292Tiv
XOR
No XOR informations found in this file.
Signature
This file isn't digitally signed
Packer(s)
Microsoft Visual C# / Basic .NET
Microsoft Visual Studio .NET
.NET executable
Microsoft Visual C# v7.0 / Basic .NET
File found
FIle type: Library
mscoree.dll
IP Found
0.1.2.3
URL(s)
file:///
String too long
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
ey638Vr4
VarFileInfo
FileDescription
{11111-22222-20001-00001}
LyVRFdD2.exe
[7!
Location
[7'
$this.TrayHeight
{11111-22222-50001-00000}
GetDelegateForFunctionPointer
{11111-22222-30001-00001}
{11111-22222-40001-00002}
TWTnSDV71WY7vI4AIZ.hBy4jnBsW8uRtuf3tI
$this.DrawGrid
oD292Tiv
VS_VERSION_INFO
.#F.;;.3;.+;
)[71[AA[OQ[AY[Aa[Ai[Aq[Ay[[
OriginalFilename
StringFileInfo
progressBar1.Locked
Translation
[7.[;.SU.K;.c`.{
ProductName
System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
InternalName
{11111-22222-20001-00002}
$#&%'&(%)%*%+%,%/.0.1.2.3.4.5.87:9;:<9=9>9?9@9CBDBEBFBGBHBIB
040904b0
.s;.k;.C;.
file:///
$this.GridSize
$this.Locked
{11111-22222-30001-00002}
$this.Localizable
{11111-22222-50001-00001}
VuZVgg21
$this.Icon
LegalCopyright
{11111-22222-50001-00002}
pfkMfmHM
$this.SnapToGrid
{11111-22222-40001-00001}
System.Security.Cryptography.AesCryptoServiceProvider
$this.TrayLargeIcon
{11111-22222-10009-11112}
[7E
$this.Language
progressBar1.Modifiers
*y}}
+Ij-2
+-zmG
nh7?
Ah498u7nwy
nPrlaR0AjL
ygW0uT1fNI
F{C_{MoY[Yj"
(b]^.
nOqoOUF8e1
jnj_n1
Int32
kIu[ULH
Yraw0Wl9Av594vH6yEj
IjTEa2dNou
sUDI
QO;F*
ObjectHandle
xrH'
fdo=_'
Oys\
textInfo
A%V^)
UxmoQEubql
+ ( DMA
xH20H6LIwC
z^wG
uxjllZNb4k
veu,
)/yG
VmR
Cw9E0Dab0J
u4lmof3AJ1
v3S
GoDvpZWvRnIFfappLl
?F"a
>2;L
5Mv"
u4P9KpRyZo
Si2KAkh02
Br 2
Av$^0
c|2Z
XGpoycaTWW
cf2%
g@Bl
+[TM
?:(x
QZSl
ijd9bqhIj4
eUN2
SmE03306eO
CryptoStream
wadkVG0NFfWgcA1EUB
W2QlZPENqF
] 2
"KmW
&8u
85%
aDtlobOxwS
VBPo1m29Jy
bMv``W}
fsqq{s
PyrlM^
d[V
>+ (
]9GKG
PNG
+Wf
" y
PII93RSK71
uNQQGtc5Pr
#S,a
ngw@
& o<
Pym0UBhNQ6
d54RCfR5T
8KLq
yaw9J0WAv5
DwBhtCGiE8rs5TLZDY
moH?-
MyRo j
rR x
ANSPwbvZm
wOwmE6l0nc
AsyncCallback
WG^x
1+h-
xUGQQGjITf
nnWETyeyW3
Oqq\]
K^d6Xg
u`r[
,'P
RuntimeFieldHandle
EQIqV
P'vR
O9l00ylhTc
H>7+
n=zJ
Y F
JJh3QwwqUPGDq5pq14
aVkEeQdJRV
Y O
l:t^
Y p
mscorlib
*~+ (}
/h_x
weB`SU
EndInvoke
Ub\\
wBRt8
aycvc
"B,T R 2
B[6zC2q69
jITVF
J0Am6u4bOK
8NMm
q7dJ
-V2U=6q
y$,NF
r+ (
7Y[V
Rq;,
Pbno
<rY'
nVSVC_a
zRvlnoWErK
hhDETLOFv
currencyDecimalSeparator
E 9`55
61Ic
Y *
R @
Y /
AssemblyCompanyAttribute
tN[|[pcX
8Pr5uG
eQ&D
^> <+
__StaticArrayInitTypeSize=40
Format
+~Vm
m_useUserOverride m_win32LangID
4aht
s3,Z/
i 0
J %<
dWvE68mT8J
r+ ('4
xY\acV
rT~z~
e& N
-h.WIN
3ult6
[k;
Tknc
kBLo4peJaC
KNxmDrwIia
%`-n
})nJk
PADPADP
-I 1+:2\K]1
"n.c03s,
g".R:
w/=,
BCxQXjtGn0
rxEov4pjYh
=`lISB/
buQ13FoPqpuRR5x4DQ
FromBase64String
"[?`t
`uk#D
SjSZo{N;:<
+ (tI
AssemblyTrademarkAttribute
m_listSeparator m_isReadOnly m_cultureName
Z_8L
$(:L
rOJ0ocBQ7T88cNiPD2
mJG06TuudK
! #
lZm1b1i7T
ORrVNQyHE
RbE9ugyvDc
_07"
#n >N|
+ (#D/R
MPpRyZlQoRfixnnQw8Z
s(Ecc
%*"Yk{nA
#Blop
P32lcuGR9d
fW1ed5yAB
GspGqY63c1W3V4uDuH
tlYiC#
2E&Qn
#Blob
dvdjb=
\n%G
'NwU\>
N-Q-
!rL(
swpB
.9 E
uz7~
oC ]`{
;UAuk
#zPwx7T
mLqBtXWqZZSLSn67oB
$>Ta
~bll
u8P}
f0HmnljHh3
ijP
L9KX
m6F0t26moC
KO[c
C*\
'c7A
Type
;;[V
8)a#"e
B`e/
N-|6
FuTtt
$>TX
h;8z^
dJZz
gPy9DT6dhc
yD'PD
gNR{
b+ (st
3>W3
a!ab
r+ (tnx]
|la "T{
$$method0x6000007-1
r}En
:u ;
{.N
<m&:
@ 76
VAH/
l?\u
V+2v
numberNegativePattern
Md2mUO\
l;@q)
<*X}I;
}vNGUOv
Nm[4MEC
H4lLC7l0DXmWGOWusT
1g-:w
*QgD
GetValue
ynx0
r!7L2
1w
?bx}R4
Uea9GQCQvR
Vv1Qw2Wq6s
hV??B
o'[uCx]
trs!*
PAD01jB5kE
8'*q*T
vFX0pD41TKu6QgLAlg.UxjthrBkGillw7QJKU+qBbxeeFtI8a42wYq4E+ltlPquq2JwJKSkHe1V`1[[System.Object, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]][]
1I%'5
ResolveType
;[E?
l.H-
U924
zwMhUdXlV
gd2iTm
P9a<
iSglT2dadd
L:=S
QmLonvp2ea
Rxw9?
h8YQvckBMo
Xxv0T1qXYw
UJgR
Nu\|N
av^]
Pt"
puFQuWAOIx
~2zf
)tZZ>
6}50
xKe}L
I^t'
kRxx
y|LH
"&dP*
LXbqUyMmpPgNmXZ1Qt
.text
am?tD
ce4DmfsmSrOT856tDgfrkMb
GetString
G6D$
aDtbOx2wSAx5ZuvQIq
XywEQw0MuH
fe\=
u8ZV`
PYC9NcuC6E
G&Gr
e81o3McdCe
FLLl s
u[W@2x
*Wdg
aliqG
3>.;v~
Convert
hnr0zrACOX
2S~a
positiveInfinitySymbol
udYRs
tMnZ
object
percentGroupSeparator percentSymbol
e:kim
FlushFinalBlock
numInfo dateTimeInfo
I8^!S
kvGEZD62gh
W l9
xz|;
FnrQInBGqf
FlagsAttribute
u ;,
zr[:
$$method0x600005f-1
$$method0x6000020-1
$$method0x6000020-2
R->Aa
b<_f
Scit
bPql8u2JwJ
"OK^
*f+ (
Nrd07wxKMa
B 7^'
BKtmwOKsqr
CipherMode
bVU9stvpvZ
JOO9mO9SkD
15i~
8dJUos0x
TOFuhjrR2853MqbjX2
6~oh
b+ (;"
RFGt
|3zd$c
r[8e
)tqKU3
Agt9
P5Bmtx4bew
:y]G+
q2V^
MiVv
wVLmrLL9ju
q\}Nl
>+ (=2-/
{5d7
System.Globalization.Calendar
-8pff
?DB$#
H hR
u|c}
V9]h
BAifmKUHLH3
c+`1|
6#SHc
X
-xR0
9'}u
ny{br
IconData
.CPBz
N.h`
Vw8Q9Y3EWN
KHPPDjf
result
a|wkU
n+?
+ (*v
pHYs
(wU'J
wt%an0
=~c*
kJZ9FTVOGN
TN4m3P6OFN
get_CodeBase
^m4Y
DJB[
ehgbFMfSV2LB3RteKe
#%f
h-FZ
R+ (
xZRmfsHla2
/f/l0
><^um
*~wh
w>`m]a
d/>u
1vwU
qdW
`wlE
D?+r
( Y
~arwG/L
m^bm
pWrlL0stnO
vJlH
{Cp
hpwQxGKSEV
BQL{o]
wjPx4RM7Q
TMHod0snGg
wH "'
W0iQdaI0sI
]G j
5" r]
height
}P*J
8D9'
~D,[
WkamUvL8rw
StringCollection
|LRK
<z<[m
culture m_SortVersion
9 K@#
PHKEjn2dGZ
b}l,8O
Marshal
]7Rb
4`?vH
1Vkhk-
uaE94aG8S6
^IBuE
CLCE9fh62W
+WU1Gi
06:W
ZSEsO
{bhp
$ "j
d@ T
DV4lAWvbTT
GetBytes
TargetFrameworkAttribute
\vdR
v3^a
EK'a
IJU\
!,#|
Cn[ u
tX:V
@- qUx
VmO~Y
lHj0DU3T8k
1['!n
F}o\/
#-CT"ZB
r7bmslfeyj
0$bv
Write
QVa|I
DiA9djRGjO
/6,N]iR
o,=G
vb09AeIEdi
u6Z1`
NQWl
aQ}UGvM
kx5lOZuvQI
IMRPqygC55GdRa62GI
nativeSizeOfCode
get_Assembly
fTrEhSVIRU
yk+(
N5<V
UInt16
LE:;
u.Vr
ob74}SwH
RLkIjAlXc
dUyDU
mscoree.dll
: Ur
b+ (b )6
&,(&X
Reh9giPeya
.X} U
qsQlFjCmiw
;4,z
jiQewj
;_]o_
7cu
>!4u
DXMWNNjv0FcA09eV23
z8IMU2e
System.IO
TGKF
WrapNonExceptionThrows
RuvHvL1NtqNi6nHqRr
"/CWe^
System.Globalization.TextInfo%System.Globalization.NumberFormatInfo'System.Globalization.DateTimeFormatInfo
numberDecimalDigits
Yf-L
u &P
nk3QjhPYyL
f+ (
dZa0QcgRYE
Console
mQ$s
cap;
?\z]k
System.Globalization.SortVersion
814i
eVAmzamunO
g\UX
IGNsFfWgc
B.N5D
percentNegativePattern
F`KN
x_My
vlmX
Kg2
:{ = 9
xYfj
/;y!

__StaticArrayInitTypeSize=64
Sa/s
l1EJUB6EE
YcqAPUhhr
IHDR
SB30jTWfhg
MBiE
System.Runtime.Versioning
?"*x
kt[ uZ
}eoyN{B@e
HoP>
e9etV23ZS
!uYkqg
Xg,O
dJKleUDFX0
6:k]
IconSize
i!C*%
*HY
OkDFEblphRR89s4yDlI
is W
IvtmFWkt7W
n{ +9
MImm5jcwxa
Gv.^G9e
Vf6919Q7PJ
X >
/6=*
W$(.
System
#[/!
stm0I7pvmE
Microsoft.CSharp
<PrivateImplementationDetails>{E98CF14D-C71B-4BF2-8AD7-B52211DCDEEF}
+DK7n
sw'8
hyQme2gCSI
System.Drawing.Icon
1v[kA
_<}|
'w58
N3pFaocW9SIoOuI8MJ
Z;;{Zj
jM6{
R+ (V;e>
-He#
xS {W,
CreateInstance
$$method0x6000039-1
A?6V
0{!0
!"p4W
}I?\
_69v
/KfIr
MethodBase
#Strings
Nv~N1B
System.Collections
KuxmMDSdAr
3pDyoj1M]p
BL00wddXF7
\ 6[
set_UseMachineKeyStore
TruIN
'lew
ya4A
v+ (#
fpAZMoIHe
wAQ ;
X
AgwS
&ec?
TVygCdFuR
Environment
SLB8kfZbcH180ytntQ.JJh3QwwqUPGDq5pq14+QKYYANiEH9XXvpC4xY+xONeq3z1CACbGkOOO9`1[[System.Object, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]][]
*z+ (
currencyPositivePattern
y0.g
j8yQ5jEQ9v
u12":
Au:zt
&qeZ:
digitSubstitution isReadOnly
X #
X "
fg0yAcloDnM6f35mbbb
VK~+f
dfOByGjLT
width
+rlh
3 m M
d/Ni
SJZ7w9AOsxPNPPcbIb
bniQoAjcm5
{[3_
/h d$
TF=C
X I
W\rn
X M
ru}N
X @
wmcci28nAvm44f32uG
[.Ur
Cea9BCWOG3
B+ (AA
X ^
X Q
q7GQ8mrpAMoIHeEwDd
,ZY%'Va
VaW[P}Q
X i
}ox5
tj;C}%}
System.Diagnostics
aWVQAEierJ
XlW_
GetType
UNNXv0FcA
HS8EO7FvRu
7Nq?&
It$P
!ZT|
n1DmPOThrM
ZSga
X u
FileAccess
kHBN
^m1S
Ev f
n`asH
zANQ[GG]OG}
|n*#
(v/D
~Psh
RhkBQ
[Xg,
kB5>
Activator
Z-P
EjXQBeob9d
, PO
vQCljNT4pf
Nj2oBxbr71
P,s W
o <k9'
wW7iAjllRGjOlVUtvpv
AU2&
MVdm0FaFnx
sLG0GV7sSg2dadd6V4
Ao8E
nbE08iLwFH
t[Zjr,
9,ei
"X$4:i
cL50hDXf64
_ &>
vB)=
+ (x&BA
Hc{VXV
;j\t
CompilerResults
;Ga6N@W
g#<D
8|T-
PqWQy0DwX8
0v5,
MD5CryptoServiceProvider
C?v^tWldQj
tMJnmml0ls7u3QHTyf6
ntoL
_^H?
get_BaseStream
HWcmBY2Ahf
TF3ofT8NX5
l3D;*h-
rV$WL\f
B+ (HG
{TVh
F C]
#!CC*f=
%Oa
lWh\u%
Imww
CLBlk3RteK
C9UkgkofF
q6a0Esxx8q
get_UTF8
Y2nlMAvm44
iT}-Y
6C`AjJ
hj&[
+r@.
BN}H
G6F/
WxKX9gIPBkMP0qLs9f
iqIERtPKSx
TAv l;
^)lt
VOr9eO1maY
J2Z
TCb0bYntIW
>vwF
AssemblyKeyNameAttribute
ISystem, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
Ql*0
BQTEqguhDC
j8j'
p~goIY
j+ (
Struct10
Struct11
Struct12
Struct13
Struct14
Struct15
eAKOo>
rA1O
4]eco
get_ManifestModule
7(,iA
RtAL
S6xoD3yQR2
hj9xWh4I6PDdXOPD.g.resources
+:[V
4%A
BitConverter
?08E0H_
^xZ
GPc;
Ka3lhvTOhg
3_'VT
V~W-
Uo{f
vT2
E .q
IWpr577XM
9[&(
xl?0
kqJr7ag
/bfW
*R+ (*+j_
QP,r%
m_useUserOverride
mbQQ
{UfE
"d;R
j~Ch
m;Ro
vAtE8NAn1H
dxLTpPMIG
qAyX
System.Core
L0dEpXhGyp
yJ:o
EeQi
vlmX
Ao$k
{=Ql
%OpBCj
Delegate
="R5E
U`>GX
9z(
AssemblyName
+ZPKqf
*~+ (t5'B
9bwb
3mh-p
D`fR
i=_
G8`Z
szHTT
get_Unicode
.ej
~F+3
yKVzDBXbH
b}?Q
g!cO
cN(u%
MTXEMqkFNL
MVbmgOG15e
jcERTC
xybAHw_~[PUt
vb0eIElEdi4vMr8K01P
Xo"V
k9QlwhDvbQ
qeZpfT*9E}l;
1fQ1
_f_.
eVGlvHpoNa
nVcEVNYxal
G>K& D;
Enum
pmp|
@*Jw
UjR2
vPR:|h
u?`lw
WSnlW67oBn
dJgiE
?&+>6
|j=5
7GqF
1cW[
bcU}
tLm25pDP2kEb4Ngr6W
guPootD4Qq
? AC
BA`Kj
aNVEBlnNmH
q1JQU8o42b
aGxEtUBfmi
get_Length
perMilleSymbol nativeDigits m_dataItem
;xzA
w5afWwdNQ
b+ (@]
$P}x
>+ (vd$Q
c{0+
+ (9(Li
IN8#
{COzc
P:UHW
ni0v
jNUNuvHvL
aarQYdWveu
{9dr
{Qy( l
'7 c
96nnB
CiCY4dO4dGSrUiyrEE
oA49
CryptoStreamMode
CwYl5q4Ejt
V839SYWJyp
sdft
bLMoVICr15
a7QY
TWTnSDV71WY7vI4AIZ.hBy4jnBsW8uRtuf3tI
G %'
Y4V0JTn60b
cG(B
CompileAssemblyFromSource
HZSlMYoKj
X 3yO
f_`X
ValueType
{%d
System.CodeDom.Compiler
x'U]
9:~
)]`H
qQmoMedxsi
txo
w5p=s
?">iG
&.x +
HjSC
[{c_
KaaIWGJ>
mW2EcVtJLU
key0BpU5Bj
ltlPquq2JwJKSkHe1V`1
Ks,]
8M`K.
AqgoJ9f5I3
Trim
b|j=
fp1D
validForParseAsCurrency
SsgENdZxsX
D /
System.Runtime.Remoting
V+ (?V 9
L&]g
l6ZV
i4y9ODlIuW
\N p
?I&!@
0@y
jx1l
v9v3
"ww[I
ZlOu
4?[_
Y}}W
-mF<
Vq<~#
C(:R
Xo#*uC
6X-
cnDo0a7SBl
e_dp
Vkmk
?tB!
h\gL3
oltmhHoIVy
h~VjIIn,
GZj0499MWF
UInt32
ToInt32
]v[g
e5W
BPt9rxL6Gs
MV@TL
ckelC0YYC9
xkGlgillw7
ToString
KM3lXlpGaR
::0{
K[Ga
V9X0xMBjF6
lcD9InM6f3
nlAux@p

a4gOZ4hKB
q4a9pLB8kf
Fb<v
b+ (N8@?
6f^I
Fdq?
m[m(
A8uEsFDVx3
.rsrc
vEU4
wxQx
W5umWYvyhr
@?oh
CE Y{
L<&-
Unwrap
XVxQW533v3RWpouAyu
M$?L
m&"k

N9
ICryptoTransform
#tyux
kJ ?
mE+$j
pk[=
AssemblyTitleAttribute
v:~I
G`6NI
AssemblyDelaySignAttribute
QiHouY5Q57
Bsxlp6m2o0
B2*<
[J8z]
7|rs
iJC?vJ
zx]<
q!zO
k9QhDvLbQL2QPENqF4
<oh
T #/
Gc>Qb
r1)b
] :
*
J Q;@I
d@|
(\=|Q
System.Security.Cryptography
Rz 2#
O4dv
iaQ2
MemberInfo
xE+@a95
Glslq7wBht
uriw17GQ8
sSgz
/{Xu
DRfhn M
p6o9nBjjiN
"k O
v2g-X
XeyY
owsmAy8DsC
mWr)
p"k\
VTi5
D 5
dzsU
e)1ZzWv
ri\a
M tl
9-r(
ToBase64String
Int64
currencySymbol
|}l_>n
numberGroupSizes
pbtlKuumcc
cW^w
uv9"
get_EntryPoint
@=UD
Qf `U
AkBoRnnv8l
P2Eke0NYYC90VGHpoN
A5nDG6XF9
wf8EHDhUeJ
.ctor
u&*QKTZ
5/H,^
R+ (|A
SLB8kfZbcH180ytntQ
l?NG
t"O3>
b+ (!
X |
b+ ('
X z
JjAlXcJE54CfR5TeNS
b+ (+
M@&Q
\%,+M
X t
8?.I
b+ (.
X o
X m
b+ (0
X k
X j
b+ (4
b+ (:
\9y
r=y?Lbp
Ub|9r
H}%:
ylMqYCqTR
Ihm|
X Z
Invoke
b+ (
%k%6&i
Gb'0
X L
hpL
xAz"
X E
v5ommGVoId
Js f
+ (x*"F
b+ (c
b+ (b
v4.0.30319
<{^G\
b+ (d
b+ (i
8vHbF
b+ (o
Hg2d
wyIio
b+ (r
b+ (q
X ,
b+ (v
X )
b+ ({
-\<g
X %
b+ (}
b+ (|
kLLd
m9ZobeIHKL
Rm)3}
b+ (I
f=&N
b+ (O
Module
hj6I1
b+ (S
T%TEN%
avM5^
FrameworkDisplayName
dMdQh64m8m
b+ (V
n1Dl0QerE8
b+ (Z
Array
og%c/
b+ (^
"^`Cj
b+ (\
W\TY
aR3nbf8dQp2feLmk31.lSfgApatkdxsVcGcrktoFd.resources
ENvmc6uCxA
WNFwoL!
eS]Vzu
G7=bW
6n4x
@.reloc
`)vh {'XXn
C*$;
<~\)CuT@
OVTs
mOwoCvZ0yF
tliu
s6SQF4EgiH
k?Z#m
\KWtZ
1~LB
mEkYu
L$1n
EtB/
MVCmVNb1BR
I dC
}U };
rG8,
XWDK
Byte
lPe0kGFK90
LJDQO3K75k
TqkEGoR8VO
Y> |
currencyNegativePattern
ITYQDahYhZ
& vT2
vI;MVu
y!al a
M{H\ERTiQq
K4p9CwrtjI
get_MetadataToken
xGxmNkCcdG
M37FJIfEJKC1UkKtXC
l-wy
Gx=%
e9OQPJQvTY
R+ (m`xY
r4x9QYrONe
wr>@
_9D~>
\L
T`aH|
HiLd
4:2D
]XjP
gvbG
X b
}]gK
vXkQt9jcan
-pyx
>5 d
qCyYBTZUq
b+ (GD98
Yerz
]n?(1
X f
C<DV
numberGroupSeparator
Bj":y
6%Q-
Q0Sl10Bsf2
[`Wg
b,xJE
MYJlih3Qwq
get_Location
;Z t
cwA'
Dg_SY\}
v3PuFA+Qo*
p8elRqDGaM
XvD~
E,{1
L 2=
comp
R+ (pQ,W
E3al9C7ENk
OiBQeQtwYa
HXSlunT13R
j|6
F_9E
Ak#e(7Y,9
s#7u
To<l3
Dc!Dg
Kv90V0uy0K
;;z-a
3Ni(
"<^5
Gq/#
g]S8
ULTQ
>>~-g
l1OlmBca8v
. bU
get_CompiledAssembly
B8VGw
YDqm9H2uve
&
KJomLcGFXQ
,TX}
LvM9jr8K01
FileStream
pTNK
\
@kLzWB
zbGb
RuntimeCompatibilityAttribute
Os'd
hE4V
dJtb
64vv`
Assembly
^QsW
RuW9L3fe9A
}N8K?
ztwQcAbXMx
w c/
~'[~8
u9dBa3xvTOhg30S0Bs
#.cotq
*V+ (h
System.Drawing.Size
}mCoOR
5iBs7 cg
SpIPqGnGROh8eqDGaM
}W7t
9P]yR
zy*`#
YCYM4d4dG
Exists
.Ej=
dJGoWwv5ai
1,+Y
;_N
i]~YBt
;XVu=
b+ ( 23M
AcX?1
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
{ZY$t
set_GenerateExecutable
KQZEip3KCq
[wGj
4MD#
b+ (#G
b$CG
v4|l
^RIj
mmMI
xL/2n
qdEdT
kTj@&
7~[x
;e!5E
Void
uPgv
61j
O6ido9HrtY5COEKPri
s;A#JJI
pMmp
m_name win32LCID
NBtlbXqZZS
BTTm4ULZRj
<PrivateImplementationDetails>{F3499A8B-06FD-4E66-B196-DBAB587115FE}
nyrQnn8vyy
+Lg\
h/}#
kleQ139o52
I8@*t`=
*s{0
Qb\u
)E+
'(d~
Bo0PxjtZNb4k73aC7E
'N0o
DpdX~)
b~^U
:6du
b4v9TH6yEj
AdlE3KOViV
G;bd$<
System.CodeDom.MemberAttributes
I&P2
S7lma89Yv7
#l2y
$4E/
w}&h-
- 0CVIQnmk
riElS8rs5T
Zs!Q_d
xtYL5COEK
.hmx
j}af
|xnz
vgBmCQ3IrJ
l38Hr
SbhKN
3 a*h
g|!Y
D7ag7
b+ (H[w<
tsv[O
"#zX
W*
<OG7
aNTe
fjhjKN9Xl
.F!]LmW
get_ReferencedAssemblies
Z)G
7=Qe#\
yD/ ^
7=CL
91=<#eJ0b
PropertyInfo
cWsg
yQ3V
:^WW
|[WE
hu141MgZY
V@C
\ZS|
S3lZwWcSqLGPlytRUy
m_useUserOverride m_isInvariant
Y ),
Reverse
YCX 8
D==]f
sJ27
UxjthrBkGillw7QJKU
P3aN
~,A5
ODJQ07tpDS
G68oZ9j84P
eo\Q
c|g.ddr>
NyWH
c [yr}
@g:3U
$Tigb
CodeDomProvider
AssemblyProductAttribute
ReadBytes
)h~VB
*a&,
rx d
6ZaX ZV
Nfw.j
Es]0`+
m';$
AssemblyCopyrightAttribute
LRqQ2ZPpA9
uE~"
w1 *
_Q>v
f0$7
LF59xVxXrs
J2&qk
;v9s
&'8qE
o{VvI(
ztTQfBEXuu
classthis
[ev5
DUMD
pYC_
gw2mdDtAYb
ml]
Ba!HC
Sg6gN3v?
f@B'



Infinity


@HfjUD
ht4ExYB0ak
+ (k?8D
L Rfhn M
pDTLOF9vhF41wjVjBd
KXbowQNPCH
p1HE4naFlX
ZnC/
^LL*
nDC9
v
xONeq3z1CACbGkOOO9`1
sRfhn M
\i^uc
CD`r
,<n
PeBEI4GMJy
%2-4(
[Pl-
gKHoHIaVgd
^EU$*4
pKKoA0C5iG
T4Q2
K 5S
wk`o
+ (wz.8
~+ (!'
Close
j6mCbHTgx
]W f
currencyGroupSeparator
zSTE59IRGh
.NETFramework,Version=v4.0
+R=X
r+ (Z$@;
<(oS
t q\
hIz*|`V
O%t's
*B+ (
]U>L
8+
Read
z3L<
Cnq:
Ny}<
\,0u
yooq
85
OrUciyrEE
9^_;
Ih6
pZ=l
value__
mrZI
'RUDX
Mg8o5KfmBR
]HTW
1v7x~
c#jT
L 3f\
R7JIIpQ4gZ4hKBaf4U
VZDlfYLJL1
YZa\h
WsLDLa91IZ26PFub9w
C%#g
sFQmqtXPHy
Y&al
-4v{<
RbJ
jv,Zm
BtW96CsKV7
RV>_o
DR8K
E>{8+k
J/NV+
2,j*.(
=V4s
Aoq0X2YYvd
WGpNu
gAMA
*{^z)
D U
Y '
)H:,
>b]2
yQK!
Y 5
aHpmZ17omP
Ju?\`
pwOmP
Y ;
PVg[
Fm4>
ZrX#
.cctor
Y
SortedList
Y
*b+ (
oAlAT(
HDIu52EKI
FileMode
6'f
JtOmiuOxVG
prmjhKoN9XlGi2Akh0
*fT2u
8QQ>~
]PM-
GetMethod
D6Ww}j
@j3g
S cg
set_IncludeDebugInformation
WM'%
Y D
5_6A
06VZ5
r`xd
t2K,
~<4F
,ItFK
RSACryptoServiceProvider
AYGkkKS
/c;,
Y X
OH$C]
3 M3UC
06O%x
NxsldpGqY3
c5G/
}q A
pOoI
X+"{
W(}SP2
.Fdx
System.Reflection
LbF0ABOnZE
mGf`|r
7OSl
C} .:
),C^ ZP
RuntimeTypeHandle
B+ (J7|?
method
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
P."I.
BwSe#
bEP5KLUCsQjCmiwNls
rJs 3
,Q3r
v`=>O
b+ (egQG
qAYV1C
UInt64
CJtQS
Y -MK{
fv*[
nKAQgQiJdo
h^~U&
KGPbxEuL
!*Y)?
U8Z<
naN:
@Brs
R+ (* C6
r+ (9r+/
B+ (
bH~$}0
yfr|#w
-jHhZ
bQMk)
ISg9YBFEWc
?- jk
'?Q~
8{e8
J#5-(O
>[*1
dff
>5wk<n$8U 9
a @a
{0npW
FX.,
^97j
RJTm8PdNBu
:4 s
yha{!Sx
Or/
5Hzx
AssemblyDescriptionAttribute
60`E
a-f\
O~mGF%
eO1!t
M1 "
SGy"U
i8[!
o<0c
}u]M
gTmQMURacL
vHvlJLG0GV
_2Y?
g,
Emb9Rbb6iE
ukOlGvK9C8
?bVN
+ (Ph
Y7J0e1Ff9W
"]11
&W#zu
Lo(=4Y&
(6tX
[q}7b
percentDecimalSeparator
?CF{
E?=O
fN6xsX368o2m4H45W3
D{F
MEb9ohRR89
C&F5=
ReadLine
WJL1PtabrXoubb87Dm
Sf4dUuadk
:+axdbr
^%!:
{E>
O9kq
(WiH!
JI Z
TTl*3((ds
jI D
%*Pl!jN
``}qV
'"nG
r+ (O^%c
b+ ({]*R
<b<] ^l
YgKmxko8HY
E1|."
o|KB
ANm6XZ1Qt
3Z.[T
R+ (W?-_
ogFoGrgojC
Bw6oLHF6fB
PQ5o8yJh2u
!This program cannot be run in DOS mode. $
RX7mYfDRAb
I+_Y
callback
bNfCmJay2cibj9LfkG
xREEEKeB9T
File
%'aW
$m_l\#
ysOEnl2MRf
s;A0
fHwmQuPFb7
o ~y
Dispose
.: c/
r+ (
T87lUDmye7
HashAlgorithm
eUFog4Bvas
e!F(
86:
a]l5
7m%>(
cF5[
4+v %
xslgO
+^ N
set_GenerateInMemory
6dhk
_^(p[^)
~4%n
?YQ:
ME?8
2s_FK
]` ^q
$$method0x600027b-1
JsuQzkDmpK
'zI9)\D
CreateDelegate
( 5+
8qYP
?6@ Y
nativeEntry
VgUEC5Fj0E
rsSmRoOsjW
y^mxoL\
nbmEFdO3LB
H f
JOMD
PuumT4ixua
8(,}
Y }B
JiJ6
IJVora7AsK
*j+ (
b+ (hf
t7v6
m!zM6
pf7vBoyfR
STnQbvpYoa
g=kO
@, w
@g-Z
BSJB
A&xZ
'cw8.
AwVlYxQW53
e6'wZ]K
]<r>
yy009rPRT2
cpnA
0vU<2
?][[
h(76
iN^T1P:Pf
2a*,4
# 7 U
YSy0nTknmr
tUrEYye6Fk
B+ (olOl
op_Inequality
49.2
GetManifestResourceStream
U2WoS5FFL4
WG00anqh87
gV/Y
*j+ (w
IntPtr
v,V,P"[
GFl]
sCk9z98qx5
I3bl b
af;2
uE%*
Ur?<
a3;W
8KkJuXo
!4!l
~\:!
{!%NRFI
E_M%
!Hu_
System.Collections.Specialized
BkkkMt&,
(aV19
r@WDe
97gwzt>
*>+ (6Xh\
!uRm
Wkrw
-B_3V*5d
]81&
!w~B
KVkommw310
ResolveMethod
-U}
\Eo=
U%jX
mW@%
_3BC
Lwa0OAchnD
MN2m7ai33l
utbl3rXoub
niFmOgCCO7
bEfUHc
"MEsCU
P;Zx
L5'l;
RijndaelManaged
b+ (D%*2
B6o#
/%*o
q'q]
^sSl
WoXW J
3+W
/%*Y
3vTa
O\"8
9JqG$
Struct9
Struct6
Struct7
Struct4
Struct5
Struct2
Struct3
Struct1
+ (+ bc
06a|
GetProperty
#F&r<l
YS Jr>
ny/Hv
dhx5HgPp4XRrQTQvSf
2@-[
mSklxHe1VD
#H KC
KSsmjb2O8b
{$zP
$>TX
AZYyv0IMuLQqXlMYCq
c >#
wVIxU0HCeU4fR
wO&VM-
Au%>
y\SW
B}.o
iL.U
BinaryReader
2xTBia
sccQTcAbgm
yLd2X
TBbt8
set_Key
N8s1.
QKYYANiEH9XXvpC4xY
0cfd
|w^z
"Hqeh
z}L>
Uo9EAZIbgX
+ (89:F
(S
8v&\
G8JoPF6gMH
/f 5
Y K
typemdt
Boolean
o]"<
(E
<]!
04u
Kt892AR2Bl
W70=A
4=C.
uE>&+
NYSQLGnfGr
' 8"/V
Wx7QkrpVG2
m nK
MethodInfo
jSrIE7KMQjPcVXCE4F
*z+ (M
^u#\&
VqVEz3duTh
CompilationRelaxationsAttribute
<`l<
tdOD
m_isReadOnly compareInfo
54/1
f_@0
V+ (}
i8>%
MemoryStream
b+ (U si
F~19
gVIQa2tcnH
zgjQC6E5GG
"=y(
O87lQTroh9
<Module>{356C2D9F-868E-4033-B5D4-A1CA61DEBEBD}
[*pY
7l.D
fYSb
,'PI
bs79hu3QHT
qIG0v0iuys
~+ (y
~+ (x
G2hoeTDHha
dwDidGB2S
Y+OtV
\Q$MX
9!F7
'v&4
+ (]h{:
>YEPy
{.WX
I!sW
_ UW
$hCh
/,p)'
LQ01>
yJ00rGAmwy
lnM9kCTBtC
+xB)
(,:A
V+ (`$Xa
GOG0ZPEp1Q
|uHF
#D@5
}Pd^
8,2
5+~M
wnvltyxjth
nEQ+*
& J |
n `.$
gYnoUbf1EW
E@ra
kMM\u+
IEND
;wYe
r!tp
1a<7
;#<
\}lN}
}46VnQ
u'k Vc
+ (N7
8yvX<
dN49PwZnqS
:3`QuU!
T^tjc
-JXy
|ij<

vbG0gTm9Be
bl>}
fQlmy0WJiE
dG`|
Cgp
Vull4EP5KL
('x
{+al
Lenm2MJQbN
h^!L
7K ~
Ar`fj@tz\
tAplHxxaaW
:j'RW
/]A)
CSharpCodeProvider
?&(m
cA]An(
tx"'8x/
-y=]
J]OA
sXCgk
^,HZ
!*?I
9\6[
m'wi
r+ (~b
b}i\m<g
uE,_
K6nQHKst62
System.Globalization.CultureInfo
y'%3
:IPU
EsCo2PeRgq
CompilerGeneratedAttribute
JdXoThkS8P
}?v }e~_dnqgYpe@B
MCh5&
P3Y(QG
mfKMM
2{Z8)f
(rrP
$.^nm
O'{3~
b^ d-
hU
SepS93y1R
vFX0pD41TKu6QgLAlg
AwX#{
&_mKI=
Copy
~.4R&?>
System.Text
GetName
*`{m$
"cg9}
*>+ (r
y==\
h( W$<1g
ZkV#2
BA5V
flags
YB+x
hk2f.
X'$~
System.Globalization.CompareInfo
nqfHN6mE5ungiuIPO4.VRccN7anIEfpNUJ4IR
R/R\@
Z.I=
.6tT
2uOd
#^5.K
u8ImJ7qRsx
glgb`
z#"=J
-"Y;
"{BCTE
/.o-n[
0MlD
bDg-
VqB9UL0hex
AAVo67aEef
a' d
/@UnY
ZRfn
Mc5tg
Ve7RkObvK9C8KPrR0A
$$method0x600002a-1
$$method0x600002a-2
#j'pi:
sFwlDnZPyF
u($I
`no$W
2Pf
>F5R
RAboiV3pOc
k9ooknlWGi
6lX
Qbw9acGwMv
o<T;
]p#>n;{
__StaticArrayInitTypeSize=18
0 0
__StaticArrayInitTypeSize=16
$y9=
yIxaVwUf
qJXxU0HHA4I7p
FieldInfo
G$t2
Vig\
ww x
S=K+L
munEo9BdPd
mK V[
_g};
QrEQ
o1Wls3V4uD
/n^c
cLJ;Vw
<]Dk
RBE
lJU
*udv
mO4vwy
yXl;
DMG)
String
_CorExeMain
Xtx0GP6t9n
Gc|Nb3
N}}Q_
R+ (D\6i
*BA'
<e}P
^?x~
B+ (cnKQ
H bl
g4d95lgLlv
s}Y ,
"3 5Q
X2PEUXjQhP
DebuggingModes
InitializeArray
ZeAtE
.g]p
u7I0KsT7ZC
82ER:
N.r4/n
&Zh]
~Qs@
Bo0PxjtZNb4k73aC7E.RB2SrKXVDBXbH2sx6m+HkS8QXgbIsNq87Troh+bM1DQeerE8A1OBca8v`1[[System.Object, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]][]
fz![
>bBH1
nmpE2ndvof
cPw
-xTA
A2S
ToArray
K6%a
fKOElYpvtc
b+ (P_ZG
i?,-
g/}
@$Rq
nn1Wvt
X0moYF0II8
yn5mv0kbcv
A.H9 =
calendar m_dataItem cultureID
CtflP9wWVW
6KX]]u
CompilerParameters
wOO0fw5FCJ
`.sdata
Y<{v{
0v>a
R1HQ6uMXig
*4Al[
gZuHajp31
d|}n
L} W
n.*B
?d,d
F2wQ83rgoO
~a|T~
]CP$
wxR0FP01Mn
_[l#
QiGGsDjjsJ85WVA22N
info
*j#VG
,=>S
Attribute
.phf
<HskN
vDqg+Q
HkS8QXgbIsNq87Troh
nAN1
zP0c
y%6T
fY-{
7b5X
Ksk#)3
;,Fb
y52<
~+ (
b+ (idWe
B+ (
y>}z!2
HtQ993KYYA
BeginInvoke
pHvz)
)Q<zP.
v;bkn
pdRejNe6BThlDDLKgu
+u%p
|igv
"B7#{
wDNEvKeS39
BF6Qsv5CCM
DebuggableAttribute
x9O0qcYsI0
_KfX
B+ (2
CallingConvention
S3l7ZwWSq
wX2EW7vQZP
3\gD
gN0m0XJlpSXqJgrfgo
/cnGJ\
B+ (=
TWjz
c l
B+ (A
DAY0yD3lL7
~=$'s
RB2SrKXVDBXbH2sx6m
Q3Y0WgP0Mn
=h$M
jfy0MnFye1
Sd"H
+5:wD
@jBm
FT_}
RuntimeHelpers
ju&Kjt
EIrQlqfpy8
kRaep9R3y1RH5aWwdN
}YJ"
B+ (e
B+ (q
B+ (p
~Y%U
validForParseAsNumber
S~XGD
+ ("9XD
B+ (~
j^et
R+ (?<
s"3%sc
<b^F
I1qoI5EMMU
aL?b*Af
sU12
h%uu
M0o5
|0%j~Z(
uO`4t@
Lx202fdx5F
#iXW
=v8)
ot@qH
ei[y\M
$jN>'
Object
WqymlnVBVh
It1EJIRk0g
_0Oo
Q_m
<Module>{940B0D58-B268-4BA3-8E3F-C821E3CC6E8D}
V+ (
( X-
Woj&t
G70w&c_
%Se6
ComVisibleAttribute
zg8.
g [a
`~-|I
`(*Z
=:/V
hDOx
$y*k
VVkQEmgfQ1
[Vt{
ZtXC
Vyp0iVs673
~2[ A6
F=y>
aY04
WGP5lytRU
r+ (
16bn(
F]Ai
iZxj
16Ql
Ec?7
~u 6
XbvZmeT5nG6XF9nDI5
AssemblyConfigurationAttribute
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
k m<->
ym{#
DUm
m_name
^v13 u
{ 'N
`-anY
B KHM
H+`_
G)5j
ALAl6lg1Bb
jSxL"
Hashtable
%System.Globalization.NumberFormatInfo"
QrV
yL2=(<
cfqlN1lK7Z
mAt4
m {
6XjM
1B_F
MM~x
Yb){r
W9;@
BSEoK2Ysq1
SE7X
b+ (4# N
jCYocxPgex
hU3QmjTPum
;/dM
Stream
fSystem.Drawing.Icon, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3ajSystem.CodeDom.MemberAttributes, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089mSystem.Globalization.CultureInfo, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089fSystem.Drawing.Size, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
BosK
z6Pe
VhP%
*3vX
^y!.
sRGB
F3 tW
aD1l2TKu6Q
-C Sss
rKNe
lLxE7wG41u
R.[Fn
fol4
r+ (\M6H
N3190CACbG
s/uCg7`m@
^ !t
Exit
nbD%
mgi
YqXq
wCWELN6v6d
</(u
}=P
(JA+R
*&8
']:L
Wr7Y
,NT
iv9QRD2Dpv
IL.6
O-3a
bVef
&&9O
yEL^
"18?
:&wB
N{&u
[k\!-
R\=bP
0LcE+
vEfq1lSK7ZtRvoWErK
b+ (,O
MmYmSXZBDg
Sf~\}E
ILursAyPOGhWr0stnO
X 8B
u[.F
JK oYN
d?) <
%skJ
>ID%
X 8V
F8}~
ym")
+)J-
[:V@
@9k@
~To\ |
i 0`d6
KVFc
DWph
percentDecimalDigits
aZZQJ8IUtO
KgO}
SFU4mbT3GMret7THonf
&;FV
~+ (S
<PrivateImplementationDetails>{BA74141B-E87E-4415-B9BB-50256D4E9434}
l:f?
=mqd
.NET Framework 4
9nHu
! |C
M6cohWS6kf
=uZ8
UvbTTD5QCNT4pfhbtu
CryptoConfig
B1'3
ArW9WemQmh
pGdlrslGyK
uH^!
K' c?
%L[%
R+ (R]`L
y>Gk
@(KX
FnPn
PiSEyWOvqR
YV4mpj5V98
B+ (+1/c
A9G]
UFw8kIFFS
FZR9cMJnmm
hw.4e
aRSoz3oN6T
DujZT
Cn__}
{|kN7A
bLF7#
B+ (0'F6
tdeE
&(aZ
KD
iZ ;&
B1's
rFI|
zY<:
EeXmHW56nj
)I&+
g@S\
M%XoO
YBmxU0HzNiDQf
K$^u
Qg{^
ehglVbFMSV
QZ^&
{y.*
Z :
uWXEgZ7
oMRmktT2pQ
cx<O:
tfi9MxnnQw
DMmoU7JII
h5fX
qC Yk
?0=`
u92v
+ (*d!J
t7vZV5
vuis
) Yv!,
Tfj9Vw1lDA
F?v
+ (zkb.
FKAEmhbynH
n3AQ4SNfo2
ybq2UympP
plRu
BEKIOZAuajp31nWp57
nb \
AesCryptoServiceProvider
currencyDecimalDigits
sK{Q{@,
I6 <
z?"m
c5]K
ExIEkks6A8
DEEExLmpPMIGicqPUh
/(m\
wH00d8R9wy
;)*&Ba
avbq
wy v
b+ (
3=Ro
M(4%
;9h
set_IV
GtqnNi6nH
px53Hgp4X
"vlmX
6%v=
sexVJ4us2C60fHpWih
+ ( [i\
~+ (}
_gMl
EX99Hya1rn
,j<'
mPWjny
co{l
N#UZ
E `/
g_?vC}
zQd0cfICXJ
gs:]
Ih9muHQiwy
G\WD
Lh#?}
6e99d46a-1560-44ad-a66b-fdd6372569bb
r3RlBWpouA
BRRQ3SFtyj
hj9xWh4I6PDdXOPD
wXI?C
(koY
PRY
IV(v
psw0CUwkUX
PMV9XjtQ3F
%dhg;
8d/i
[VAv
2%:5
U_P
fqp9aSBv0
fjG]Q
quZ^
{F`)
H'+LI
oSZ9ZaOxyM
__StaticArrayInitTypeSize=32
__StaticArrayInitTypeSize=30
numberDecimalSeparator
yh;@
*R+ ([
Xa00m2kqld
U]=5 U
$460a
.GoN:n
+ (U
+ (V
q(xs
+ (^
+ (X
+ (Y
+ ([
;=oN
*XH8
CreateDecryptor
0G<(
+ (B
negativeInfinitySymbol
#N&Oz
UNN9iF665J
xd|/
mMSF
+ (s
#c<?Ts
+ (}
<LX?
X 7@
+ (z
T#8Z
jtxE
~^gP
+ (c
\Wd;
\~.tEl[
NwkIFFhSujP4RM7QJN
+ (i
+ (j
b]yi
%GdT
j%y_"O
@o_}
^f'o
WNmQZ2T5dI
f1v0Rex30v
ou$9
F5JQSZ4kLe
Zc_6
+ (
rnUoEpcNr8
IDATx^D
;jc0
+ (7
+ (0
+ (1
(6tY%
Bfv0lW1FYc
IL),
RtnQu7H9HyViuYkgAV
+ ($
+ (
F2dmbWPeL1
GetTypeFromHandle
IAsyncResult
+ (.
]Go"
+ ()
+ (*
%|/O
bFq+H
Sk&5M~n
SymmetricAlgorithm
~Jv&
percentPositivePattern
get_AllowOnlyFipsAlgorithms
!(29A
ansiCurrencySymbol nanSymbol
FileShare
BC6W0fHpW
tw47
Fshu
Feel7tI8a4
?J8o
R23oFCMCqp
%d^QBF{tj
s{B{c
EV>K-
jBiotXlkBC
{8Ki
)N'VC#7
nPTEXYkc1G
q%[D
%Cpu
]F=TQ
R+ (2~OR
H$0cg-
bb]$6
set_Position
??"'d
F?2Z
tLM0SZ2iad
B+ (nesO
`F8v9
+ (SB}Z
] 0k
cU*e44G
System.Runtime.InteropServices
RpiEuTyuEa
(5@T4
AI`9a
UUOEguGQGW
<E2 )
duFz
BU29flPqgv
R+ (vW[i
UnmanagedFunctionPointerAttribute
-Infinity
XUJGP
8g'
ZS_Gu
-#?R xt
}vnMo
yg _Ko
i
oEP"
QPGlzDq5pq
5Q=|'a
tFuC
WUaV
"_|koe
System.Runtime.CompilerServices
wGF)
x|bT
~X K
gIX tk
P2;=
K@Di
tHVQr8Ye9w
SuppressIldasmAttribute
cQ7PJYlm4pwrtjINiIg
cIKm144MVI
G2N9t8j0sD
,k uv
4cnlK
\S<M
2uQE
yus976seFM
m'lY
uUUb0
VurlysAPOG
ZWj2
a TI
Z^jN
set_CompilerOptions
b+ (h: .
XrBQN68RLC
'`mg
db g
KeZ9qoesTL
(E
`Ma~}
q4>D
5L&[
oVwynlft{
W#)2
/il,
haj
0x r
#65M
mMR2t
Y[u
O8QlEXbIsN
knSNA
jXsEDccjOb
Y7aE
m/V{
+r(a
wCIo79tWXA
Awb0PgUvUZ
Lq(9
z6`o
f`aX
';Wo
DQ-P
rw}u
a?%r
IDisposable
L820LDoMEB
TcH9l180yt
YhSy6ido9
jV2_PU
?n+9zj
R>7p
currencyGroupSizes
trQUTQvSf
XIIoaInql3
set_Mode
O/M"
{zwa'f
b+ (<C
x3GK
Kdg0Lsfnt
gmXolLDU9w
KtroXgBIjY
3\>
< AGmG
qBbxeeFtI8a42wYq4E
ymOo9HCtao
UADQKb6YIm
?Nhx
WIDAT
Q}l%
AywESSZhhD
fvebxVJ4s
<Module>
rdlW
hwD Y
s:3ATX
XkLk
c9j
L"xU,,J
KozX
MulticastDelegate
ComputeHash
Bna0sm4gmd
ITWR
FN07r
aIPlIqGGRO
QhomGPvCGo
C&&k
aMqg
qb\Qtu
Ag) Ypp
GQyHE2C9UgkofF1CyB
B+ (}Us.
hu~
~2?d
JTsT
2 F<
CmbHTgsxhf7BoyfRGL
<ta4
W|7*P
we^A
DP)#I0m
oinj
HEH9E9XXvp
CreateEncryptor
{7 O|
vU4E
b+ (OK2@
b+ (~=B0
E36mXaT9AF
-[#i
f 'I+
V.7y
_b`*
d9]X
Jekxfih0jOw8lYnyFK
#GUID
xeK>
Am Y
Z~4d
b+ (b d2
lFCOVSJGoZ
+e?
zwMUdXdlVAZmb1i7TJ
On;L
X 9
*R+ (
Ctf9wWVVWIFwnZPyFn
j&!X
QHF\\\@
fVToqv3pPh
KJWE1oWEKf
f 46=
percentGroupSizes positiveSign negativeSign
wSMojSe183
Vv0FMuLQq
_pK]
:sik
jM]{b
x1vG72Sjb
NzX4
^s|\U
hj9xWh4I6PDdXOPD.exe
_cnbL
Bmg05suUd4
d7xEw4lvFD
b+ (WA]T
W7P;
{Puh
t+}>
avSa5ZqrC
GetPublicKeyToken
System.Globalization.TextInfo
itMY
)[8r
~R &5
ehu0pN6Alw
E%ol]
Z* <es
^kUG6
b+ (.,U^
UTC0Y7nbmS
|za|
SetValue
1k&J
Encoding
i1QEfEae4t
^{Wt
T~v%
#~4F
XHXK:
GetFields
T@OsG_}Zio
0[s
btlQpuqfQ3
r~N%
LryQVmmADY
:#%Fvl
r+ (8
l5 A
RiB 8
r+ (<
r+ (&
aP7mLTl6P
mohl
R+ (
r+ ()
~XeA*
__StaticArrayInitTypeSize=256
wpbQq0dCt0
R+ (2
CTAQihjXyg
1bNY@^
f{Fy
cq}p
R+ (=
OLOopLJFN0
,NWo
R+ ('
*RM&J
P0}wH*
R+ ()
XjI2
;i.fD
R+ (-
R+ (,
R+ (R
vfdw
r+ (w
R+ (Y
yT3e
? Z.P
R+ (\
HXroNElYmZ
SE^[a[^]s
R+ (E
_d [n *a
R+ (K
R+ (I
2N7\
R+ (r
R+ (q
R+ (p
r+ (V
vZ:OR
KkZErlYJ3Z
Replace
}>]f
r+ (B2vM
Zero
R0g/qs$
r+ (F
R+ (d
R+ (j
qMSb
WejoEQ
9FM}Xdtz
4kwa
}nh'
ALsfntEpP7LTl6P7Mm
HiI9vgmg0y
?'&5
hqdP6A
mGcmKO5RDX
_OL|
bEP-S
XSbVyCKdFuRmW1d5yA
islGyKYYM3lpGaRunv
8S
qEV1z`
9P8al
+n^Q
(=fN
1A`5
$w "
N/jT
{]xp
#Eg
<Module>{045D18BB-D0BB-47D1-AE83-2769D9AC662D}
ySnT13kRRApxxaaWhG
ES; 6
kiov
Xwa0oXNJjR
?:53
mn5K
w5=(&e"
t26w
AmNQ78Q5ye
# &6
cHQ9wGXoCR
~%4:/
2|e
~b2vp
j+ (+
&&X.0
R,Xs
"7!J
?6VZ
pF4Q1wjVj
x1v72SDjbpvS5ZqrCm
YWRQWPRl1r
GelEKiSDQI
UUUU_
hKDnh
LH8=
.gp5
iPD^
>+ (L
buqA
customCultureName m_nDataItem
4":$
nnhEd17nsI
?_d
e) (
>+ (r
>+ (p
<-[X
jam}c^a
kZUqQfvOyGjLTdu11M
cax9yxC9wL
m(TL
<uJU
W13]>
bM1DQeerE8A1OBca8v`1
#GUlD
H3roxx4ffC
mp8EPCmNk3
ckq~
GsLmIdrbxG
/.\8
*NpM|P
?Sam
l9J0NtS6nX
zZ6uGFXZDWHH6DvuET
5A%V
* h~s
O@ic
W7HEb17HoD
[JZ^
YHJ2
Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven05b_64 Seven05b_64 VirtualBox 2018-07-12 11:46:13 2018-07-12 11:49:03 170

11 Behaviors detected by system signatures

Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven05b_64 Seven05b_64 VirtualBox 2018-07-12 11:46:13 2018-07-12 11:49:03 170

9 Summary items with data

Files

C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\Seven01\AppData\Local\Temp\windows.exe.config
C:\Users\Seven01\AppData\Local\Temp\windows.exe
C:\Users\Seven01\AppData\Local\Temp\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\system\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\ProgramData\Oracle\Java\javapath\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\System32\wbem\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSVCR120_CLR0400.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.localgac
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll.aux
C:\Users
C:\Users\Seven01
C:\Users\Seven01\AppData
C:\Users\Seven01\AppData\Local
C:\Users\Seven01\AppData\Local\Temp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ole32.dll
\Device\KsecDD
C:\Windows\assembly\NativeImages_v4.0.30319_32\hj9xWh4I6PDdXOPD\*
C:\Users\Seven01\AppData\Local\Temp\windows.INI
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Windows\assembly\pubpol23.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\Microsoft.Net\assembly\GAC_32\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll
C:\Users\Seven01\AppData\Local\Temp\hcowgtki.tmp
C:\Users\Seven01\AppData\Local\Temp\hcowgtki.0.cs
C:\Users\Seven01\AppData\Local\Temp\hcowgtki.dll
C:\Users\Seven01\AppData\Local\Temp\hcowgtki.cmdline
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Users\Seven01\AppData\Local\Temp\hcowgtki.out
C:\Users\Seven01\AppData\Local\Temp\hcowgtki.err
C:\Users\Seven01\AppData\Local\Temp\hcowgtki.pdb
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\00ea0c71c0a045ebceae2b3d938d251f\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\00ea0c71c0a045ebceae2b3d938d251f\System.Drawing.ni.dll.aux
C:\Users\Seven01\AppData\Local\Temp\windows.exe.Local\
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\shell32.dll
C:\Users\Seven01\AppData\Roaming\windows.exe
C:\Users\Seven01\AppData\Roaming\windows.exe:Zone.Identifier
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\it-IT\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\it-IT\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Windows\SysWOW64\it-IT\KERNELBASE.dll.mui
C:\Windows\assembly\GAC_64
C:\Windows\assembly\GAC_64\mscorlib.resources
C:\Windows\assembly\GAC_32
C:\Windows\assembly\GAC_32\mscorlib.resources
C:\Windows\assembly\GAC_MSIL
C:\Windows\assembly\GAC_MSIL\mscorlib.resources
C:\Windows\assembly\GAC_MSIL\mscorlib.resources\*
C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_it_b77a5c561934e089\mscorlib.resources.dll
C:\Windows\assembly\GAC
C:\Windows\assembly\GAC\mscorlib.resources
C:\Windows\Microsoft.Net\assembly\GAC_64
C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib.resources
C:\Windows\Microsoft.Net\assembly\GAC_32
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib.resources
C:\Windows\Microsoft.Net\assembly\GAC_MSIL
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\mscorlib.resources
C:\Windows\Microsoft.Net\assembly\GAC
C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\feeacef715fd335a37a58022b3a2fefb\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\feeacef715fd335a37a58022b3a2fefb\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8811a034e0362a8ec740c44c7136725b\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8811a034e0362a8ec740c44c7136725b\System.Core.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.Linq.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\ntdll.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\1040\cscui.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\1040\cscui.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\0\cscui.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\0\cscui.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\1033\cscui.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\default.win32manifest
C:\Windows\Microsoft.NET\Framework\v4.0.30319\alink.dll
C:\Windows\System32\mscoree.dll.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Users\Seven01\AppData\Local\Temp\System.Management.dll
C:\Windows
C:\Windows\Microsoft.NET
C:\Windows\Microsoft.NET\Framework
C:\Windows\Microsoft.NET\Framework\v4.0.30319
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Management.dll
C:\Users\Seven01\AppData\Local\Temp\System.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.dll
C:\Users\Seven01\AppData\Local\Temp\System.Drawing.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Drawing.dll
C:\Users\Seven01\AppData\Local\Temp\System.Core.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Core.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll
C:\Users\Seven01\AppData\Local\Temp\CSC631F0D49631D4E5EB296D6F44CBCC1E8.TMP
C:\Users\Seven01\AppData\Local\Temp\RES21CB.tmp
C:\Windows\System32\tzres.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\.IgHiJkLiO

Read Files

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\Seven01\AppData\Local\Temp\windows.exe.config
C:\Users\Seven01\AppData\Local\Temp\windows.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll
\Device\KsecDD
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Windows\assembly\pubpol23.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll
C:\Users\Seven01\AppData\Local\Temp\hcowgtki.dll
C:\Users\Seven01\AppData\Local\Temp\hcowgtki.pdb
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\00ea0c71c0a045ebceae2b3d938d251f\System.Drawing.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\00ea0c71c0a045ebceae2b3d938d251f\System.Drawing.ni.dll
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Windows\SysWOW64\it-IT\KERNELBASE.dll.mui
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\feeacef715fd335a37a58022b3a2fefb\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8811a034e0362a8ec740c44c7136725b\System.Core.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8811a034e0362a8ec740c44c7136725b\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\feeacef715fd335a37a58022b3a2fefb\Microsoft.VisualBasic.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\1033\cscui.dll
C:\Users\Seven01\AppData\Local\Temp\hcowgtki.cmdline
C:\Windows\Microsoft.NET\Framework\v4.0.30319\alink.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe.config
C:\Users\Seven01\AppData\Local\Temp\hcowgtki.0.cs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Management.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Drawing.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Core.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\default.win32manifest
C:\Users\Seven01\AppData\Local\Temp\CSC631F0D49631D4E5EB296D6F44CBCC1E8.TMP
C:\Users\Seven01\AppData\Local\Temp\RES21CB.tmp
C:\Windows\System32\tzres.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Write Files

C:\Users\Seven01\AppData\Local\Temp\hcowgtki.tmp
C:\Users\Seven01\AppData\Local\Temp\hcowgtki.0.cs
C:\Users\Seven01\AppData\Local\Temp\hcowgtki.dll
C:\Users\Seven01\AppData\Local\Temp\hcowgtki.cmdline
C:\Users\Seven01\AppData\Local\Temp\hcowgtki.out
C:\Users\Seven01\AppData\Local\Temp\hcowgtki.err
C:\Users\Seven01\AppData\Roaming\windows.exe
C:\Users\Seven01\AppData\Local\Temp\hcowgtki.pdb
C:\Users\Seven01\AppData\Local\Temp\CSC631F0D49631D4E5EB296D6F44CBCC1E8.TMP
C:\Users\Seven01\AppData\Local\Temp\RES21CB.tmp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\.IgHiJkLiO

Delete Files

C:\Users\Seven01\AppData\Local\Temp\hcowgtki.err
C:\Users\Seven01\AppData\Local\Temp\hcowgtki.out
C:\Users\Seven01\AppData\Local\Temp\hcowgtki.tmp
C:\Users\Seven01\AppData\Local\Temp\hcowgtki.pdb
C:\Users\Seven01\AppData\Local\Temp\hcowgtki.dll
C:\Users\Seven01\AppData\Local\Temp\hcowgtki.cmdline
C:\Users\Seven01\AppData\Local\Temp\hcowgtki.0.cs
C:\Users\Seven01\AppData\Roaming\windows.exe:Zone.Identifier
C:\Users\Seven01\AppData\Local\Temp\RES21CB.tmp
C:\Users\Seven01\AppData\Local\Temp\CSC631F0D49631D4E5EB296D6F44CBCC1E8.TMP

Keys

HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windows.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index23
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-us
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-us
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\windows.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\3A4F894F
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\FORCE_ASSEMREF_DUPCHECK
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NicPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\RegistryRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath2

Read Keys

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index23
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-us
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-us
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\3A4F894F
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\FORCE_ASSEMREF_DUPCHECK
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NicPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\RegistryRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath2

Write Keys

Nothing to display

Delete Keys

Nothing to display

Mutexes

-

Resolved APIs

advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
advapi32.dll.EventRegister
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
clr.dll.SetRuntimeInfo
clr.dll._CorExeMain
mscoree.dll.CreateConfigStream
mscoreei.dll.CreateConfigStream
kernel32.dll.GetNumaHighestNodeNumber
kernel32.dll.GetSystemWindowsDirectoryW
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddSIDToBoundaryDescriptor
kernel32.dll.CreateBoundaryDescriptorW
kernel32.dll.CreatePrivateNamespaceW
kernel32.dll.OpenPrivateNamespaceW
kernel32.dll.DeleteBoundaryDescriptor
kernel32.dll.WerRegisterRuntimeExceptionModule
kernel32.dll.RaiseException
mscoree.dll.#24
mscoreei.dll.#24
ntdll.dll.NtSetSystemInformation
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
kernel32.dll.GetNativeSystemInfo
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
ole32.dll.CoGetContextToken
clrjit.dll.sxsJitStartup
clrjit.dll.getJit
kernel32.dll.LocaleNameToLCID
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetUserPreferredUILanguages
nlssorting.dll.SortGetHandle
nlssorting.dll.SortCloseHandle
kernel32.dll.CloseHandle
kernel32.dll.GetCurrentProcess
kernel32.dll.GetTempPathW
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
kernel32.dll.GetFullPathNameW
cryptsp.dll.CryptGetDefaultProviderW
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
kernel32.dll.SetThreadErrorMode
kernel32.dll.CreateFileW
kernel32.dll.GetFileType
kernel32.dll.WriteFile
kernel32.dll.GetFileAttributesExW
kernel32.dll.GetCurrentDirectoryW
kernel32.dll.GetStdHandle
kernel32.dll.GetEnvironmentStrings
kernel32.dll.GetEnvironmentStringsW
kernel32.dll.FreeEnvironmentStringsW
kernel32.dll.GetACP
kernel32.dll.UnmapViewOfFile
kernel32.dll.CreateProcessW
kernel32.dll.DuplicateHandle
kernel32.dll.GetExitCodeProcess
kernel32.dll.GetFileSize
kernel32.dll.ReadFile
kernel32.dll.DeleteFileW
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
kernel32.dll.FindResourceA
kernel32.dll.SizeofResource
kernel32.dll.LoadResource
kernel32.dll.LockResource
gdiplus.dll.GdiplusStartup
kernel32.dll.IsProcessorFeaturePresent
user32.dll.GetWindowInfo
user32.dll.GetAncestor
user32.dll.GetMonitorInfoA
user32.dll.EnumDisplayMonitors
user32.dll.EnumDisplayDevicesA
gdi32.dll.ExtTextOutW
gdi32.dll.GdiIsMetaPrintDC
gdiplus.dll.GdipCreateBitmapFromStream
windowscodecs.dll.DllGetClassObject
kernel32.dll.WerRegisterMemoryBlock
gdiplus.dll.GdipImageForceValidation
gdiplus.dll.GdipGetImageRawFormat
gdiplus.dll.GdipGetImageWidth
gdiplus.dll.GdipGetImageHeight
gdiplus.dll.GdipBitmapGetPixel
shell32.dll.SHGetFolderPathW
kernel32.dll.CopyFileW
kernel32.dll.DeleteFileA
kernel32.dll.WideCharToMultiByte
kernel32.dll.CompareStringOrdinal
clr.dll.CreateAssemblyNameObject
ole32.dll.CoGetObjectContext
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
ole32.dll.NdrOleInitializeExtension
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
clr.dll.CreateAssemblyEnum
kernel32.dll.ResolveLocaleName
kernel32.dll.LoadLibraryA
kernel32.dll.GetProcAddress
kernel32.dll.GetModuleHandleA
advapi32.dll.LookupPrivilegeValueW
advapi32.dll.AdjustTokenPrivileges
ntdll.dll.NtQuerySystemInformation
kernel32.dll.CreateProcessA
kernel32.dll.GetThreadContext
kernel32.dll.Wow64GetThreadContext
kernel32.dll.SetThreadContext
kernel32.dll.Wow64SetThreadContext
kernel32.dll.ReadProcessMemory
kernel32.dll.WriteProcessMemory
ntdll.dll.NtUnmapViewOfSection
kernel32.dll.VirtualAllocEx
kernel32.dll.ResumeThread
ole32.dll.CoUninitialize
oleaut32.dll.#500
advapi32.dll.EventUnregister
gdiplus.dll.GdipDisposeImage
cryptsp.dll.CryptReleaseContext
kernel32.dll.CreateActCtxW
kernel32.dll.AddRefActCtx
kernel32.dll.ReleaseActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.DeactivateActCtx
kernel32.dll.GetCurrentActCtx
kernel32.dll.QueryActCtxW
kernel32.dll.GetProcessPreferredUILanguages
kernel32.dll.GetUserDefaultUILanguage
version.dll.GetFileVersionInfoSizeA
version.dll.GetFileVersionInfoA
version.dll.VerQueryValueA
alink.dll.CreateALink
mscoree.dll.CLRCreateInstance
mscoreei.dll.CLRCreateInstance
cryptsp.dll.CryptAcquireContextA
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptHashData
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
clr.dll.DllGetClassObjectInternal
clr.dll.StrongNameTokenFromPublicKey
clr.dll.StrongNameFreeBuffer
clr.dll.CompareAssemblyIdentityWithConfig
clr.dll.CreateAssemblyConfigCookie
clr.dll.DestroyAssemblyConfigCookie
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptExportKey
cryptsp.dll.CryptDestroyKey
mscorpehost.dll.InitializeSxS
mscorpehost.dll.CreateICeeFileGen
mscorpehost.dll.DestroyICeeFileGen
ole32.dll.CoCreateGuid
diasymreader.dll.DllGetClassObject
rpcrt4.dll.UuidCreate
ole32.dll.CreateStreamOnHGlobal
mscoree.dll.CorExitProcess
mscoreei.dll.CorExitProcess
user32.dll.RegisterRawInputDevices
user32.dll.GetRawInputData
uxtheme.dll.ThemeInitApiHook
user32.dll.IsProcessDPIAware

Execute Commands

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Seven01\AppData\Local\Temp\hcowgtki.cmdline"
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Seven01\AppData\Local\Temp\RES21CB.tmp" "c:\Users\Seven01\AppData\Local\Temp\CSC631F0D49631D4E5EB296D6F44CBCC1E8.TMP"

Started Services

Nothing to display

Created Services

Nothing to display

#infosec #automation

TheSystem Itself @ 2018-07-12 11:51:09

Detected family: #Malicious

TheSystem Itself @ 2018-07-12 11:56:03