MalScore
100/100

qsr.exe

Is DLL Packer Anti Debug Anti VM Signed XOR AntiVirus 43/68 Related 2476
File details Download PDF Report
File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
File size: 554.50 KB (567808 bytes)
Compile time: 2018-08-02 03:56:49
MD5: 769c280c5eff2d1598c5de438b567d8a
SHA1: 21a81afcb69ab65b2174b00b580b2591dff6caf5
SHA256: 2b2314c8a255a08803fc37ca56261c50230772843b2a7bd977bc2bab5d7b8fa3
Import hash: f34d5f2d4577ed6d9ceec516c1f5a744
Sections 3 .text .rsrc .reloc
Directories 4 import resource debug relocation
First submission: 2018-08-08 19:09:04
Last submission: 2018-08-08 19:09:04
Filename detected: - qsr.exe (1)
URL file hosting
hXXp://23.249.161.109/chfrd/qsr.exeVirusTotal
Antivirus Report
Report Date Detection Ratio Permalink Update
2018-08-06 17:30:57 [43/68] VirusTotal
PE Sections 2 suspicious
Name VAddress VSize Size MD5 SHA1
.text 0x2000 0x5744 22528 c5507b6a12dc7bdd1d3dc3e98455f420 f1226c21aa3ca6857f73e1e1bb5c8cd53fa85700
.rsrc 0x8000 0x6bd1c 441856 04a85f90948e46ac1b4d29254e4c4ace 2c5acc4df20cabfb209f8755d47958a0ee22ce35
.reloc 0x74000 0xc 512 615a0ae75c33153108420d4600ca4aa1 45e83db6a67951b9dffb3c0a3792d97ece8e215a
PE Resources
Name Offset Size Language Sublanguage Data
RT_ICON 0x2fa70 1128 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_GROUP_ICON 0x2fed8 118 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_VERSION 0x2ff50 532 LANG_ENGLISH SUBLANG_ENGLISH_US
RT_HTML 0x30164 277431 LANG_GERMAN SUBLANG_GERMAN
  • API Alert
  • Anti Debug
Meta Info
LegalCopyright: \xc2\xa9 Microsoft Corporation. All rights reserved.
Translation: 0x0409 0x04b0
FileDescription: XPS Viewer
ProductName: Microsoft\xc2\xae Windows\xc2\xae Operating System
XOR
No XOR informations found in this file.
Signature
This file isn't digitally signed
Packer(s)
Microsoft Visual C# / Basic .NET
Microsoft Visual Studio .NET
.NET executable
Microsoft Visual C# v7.0 / Basic .NET
File found
FIle type: Library
System.Management.dll
System.dll
System.Drawing.dll
System.Core.dll
mscoree.dll
IP Found
No IP detected
URL(s)
No URL found
String too long
PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
Microsoft Corporation. All rights reserved.
System.Management.dll
SafeFindHandle
/optimize+ /platform:X86 /debug+ /target:winexe
ProductName
%made%
ConfigEvents
IObserver1
Windows
LogLevel
Action4
UnsafeNativeMethods
StringFileInfo
Translation
StringSplitOptions
VarFileInfo
System.dll
Operating System
VS_VERSION_INFO
040904b0
System.Drawing.dll
Tuple1
FileDescription
%coco%
Microsoft
LegalCopyright
XPS Viewer
RegistryValueKind
ITuple
IXcKFVbZyXgd
SafeHandleMinusOneIsInvalid
System.Core.dll
TlfGlGepfZlv
#[c{ W]
igBN
>= P
yiZZ
DllNotFoundExceptionEnvironment
2R]L.~z
DateTime
_^zS
}-
Qu4%
&5#3
;% bk
5'H
igBf
PNG
R"'q
Cf`Ox
Func5EnvironmentVariableTarget
~1(w
;i >Q
m@^R3
04n3
FlagsAttributeStackOverflowException
|_@;Y
rHlw7
KXEy
p47-
WarningSectionSourceColumnMetadata
{AZl:
v#WD
ij @
70( 2
T*K_
85~=
*dc@r/9"
`=v
8=}J
O?qZ
Z )R3*9
C ?L7
O^ v
Tuple5Activator
U":U3*
c)R!
` H^H
yf0X
:-T$
,:D T.
!.:
MbQ{
6}[-h
v(Q
sc
SafeLibraryHandleExecutionEngineException
~Alv
% p)
4k7$_Wj
JfVM
i)Zo
Substring
`"xY]
a?C2
)|u S
S4;f
2QGu2U\
xod.
LoaderOptimizationException
%EcF[A
4DbF
3 ??M
x;<N
">y"P
]XsV
6DG'Dx o
CultureAwareRandomizedComparerFormatException
Q,e`
Lm5PF
BJ+f
0r(:
ZP";
xZ`~
H*XW
Ro{O
F5k2
j$wM
/H Gb
&[8k
0[fI6
Zta@
4y=X
S Sg
jW3
BtaCJC
fT) P
y? j
1_lUP
7ev:~
Xcp
/?ObF
'bFaB
2XxM
R!KV> /
9|Vx
quycb
aI'6f
JjF:_WCxq6(
~ *f.
@%1i
0/0o
6Z>CV
ve >|2t%
ohec
EO5C
~pl>2<
SafeAccessTokenHandleBuffer
E&@>
9CJxip
2r5o
ConfigNodeSubTypeCriticalHandleZeroOrMinusOneIsInvalid
F!a
Q3~~
kG`C
jLVx
:|-9
@gFr
6eb^D
d?!R3"
5|}
HRgv'
'-aFE
j%q]
d?bo
Z(!@
m;FR
(*_?
XuQ3
wP`>
]k_
rA3}**
O3]~N
~ ?^
78O$#a4
9U#
`[7qx
H'v3
AttributeTargetsASM_NAME
2#;j
5$Ug
d'I im
8`%E
r 5
lWo7B
/MJ:
;&E5
DGr>;$
FEv7
( 1z 06
s .R2
[*10
P`rG
u &U*
9u\.
FormattableString
XoZy&
DiaD\J
~Mw;#
K<*1
&||
9lh6
r-D]
AUqd[#
oo7>
1@Q
w*zP
M.P7
LogLevelCausalitySynchronousWork
\v5)
CUq=
}P:q
Bn-V$
Dx|x
lk-y
`hHjh
kHS9
kHS:
!3Em\S1
Dv\>W
UIAC
RegistryValueKindIApplicationContext
l2 k3
21f.
5Gu
"#kG
"6fLV
X'jK
^N}F1
4z:a
~4(X
/6)L
fDjHv
1P;,M*
q7sUU
.fM=Sr
&;V3
c 6%
! 9fR
n6 5G
".J$
ArgumentExceptionAppDomainManager
fD957
ZG$Y
*@+U
Bpa
ActivatorCriticalHandleZeroOrMinusOneIsInvalid
Format
@>Or
\t+O
+}JpyX
G|[>0
Iiz0
d0{l
iyuAntc
?[>W
-d~y
l
P}Hr
Enumerable
<@ifS
IOy9Y
17}|
osG7
& L6
Ldl
XAX`2
h5,PsL
lKtcp
u 8S
txC0+
f|A
j(ke
0#ac
{qa/|
!~FC0
fz
@92k
IntPtrArray
o{`KH
SafeWaitHandleExecutionEngineException
)7QY9
"ne
v>K$Z
UkrP
-D1[p*VQ
AY LbI9[3
s01c
876?
h~?
CompatibilitySwitches
Z&}G|U
MethodAccessExceptionSafeLsaPolicyHandle
]]v,:
e6Kr
LF5Zm
|[4&D
PzX]
M7B:M
qKCM
Predicate1IDisposable
Fd6m X:%
_ 9|%X-<
|=kM
.cHl
hSKOW
`U=@=
gS eBR
<}3
_` M
hChg
H iR
Fl!?
{1cj
Tb?F
k0 "
#p@t:
~w-d_%
"aPC
ArrayIProgress1
&1X
]32`
l$Wa
cBon
/t5K)j(
!<'3$
h^qJ
^hn\\
ucIN'
+"}t
+"5" @;
qD\A
3JLu/z
mFVk
.`<V
SN8C,
''hH{X
WWWeWWW
Lb.$ftWJAT
?sgy
P|e~
RnWD
#Blob
tz/xP
p%El
1pBb
HHH]HHH
FsQ9
K#t?
) W`
]jd4
aD];5
uh%&!C
g[ax
e\1>
Jc*P
0\1=B
-IX>
Qjkn
s@Xj
uO3])Q^
LCb4
/mY;WI
{kA {
ConsoleCancelEventArgsAppDomainManagerInitializationOptions
m+|x
Q8j'B
SAA)
*|Ro
GDgb
v1w1 g
Type
1[0`&1P6j!K
p[y?>
E 7w
%J5
.X]Wb
1{K4%
7~u(!
N,j7z
? Be|eY
_5#g
q`*@
`8Oa
;)}h
'@.S1
RX$}>
eRcJ^
9(SwJ_
k?3mfU
z":
2,mL
9 (,:
InsufficientMemoryExceptionActivator
TI*^
Y]Pu
SqY
z \71
0xXh
r]tY:
L>wxoJ
a@0+
JbF> H
tf/d
!v" .
q%;X
}_uz
:Tn]
EbFYQ
ni]:|a=
yz^O
R_e
A*)
hu:q
oQ\tb
!0GY
d6mE
}u1T}
zp!kg
2 J0
o!0w
e_M$Y4
2-~t
XXX;WWW
EX"a@
pSAf
v,i:
ESu.^
hj @]
eUW 0
j:D4j
w36Z
3f#5
NZO]
yFn|v
_0\S
2 XA
`xe\\
>z v).-
:vo&
`y> ZB
{+EU&%
{4\Fi
p*"s
GCCollectionModeCrossAppDomainDelegate
j|<|
6 Z>
yi"2
dR{rsI
. bc
, Oe
(%ug
h'c5
T6 Wh
kg2!
Qvk=#uo
'vi
rYC$
b aq
T{~k
fHkd
S,d$
B'>wV
LLNx
|5ox
By"aD$)
Nd+s)
M `f3
7"~F
BQn"i
y|?,
m ]b
QR8[nbc
(60`&
N ~
BnL'^<Y
w[3Q
g6 P
J|-s
cFM\
!yE|
{TWp/i
js[#go
10!u,k_
^Oej
IZC&
Ai)K
@3Oc
3%LJ
48gZ
b0Sz6
gv|2
}3f<m
>QTD
awp=8
r#^p
T p+DRo
@$Zu|
iI.R
huCW
9>B2
$0ss
yHi 5
H`sQ
`p2D
"#g1
uz}dz
PqHS
JO't
=a4$
1`o
!X"r
]4Kr
64t5
b-fD
d#}i
`#@c vVd
CCC
Nq<X
17Q/
.text
List`1
.e!
yla"
Action7EnvironmentVariableTarget
4~y.8
9u <D
"7ZX
CCC;
Z]K~W
c0Uu
db0&(m$+?V
YIFv
c@J%
!& 0.3 `
#cS"1
h80)
sx$;K6-
/`"R3
eyZZq
IO%1v
!/wx
oe2 @
ml6-
DkY
i(7e
7$-,
{9[\
W#` }0%+
K ^i!
^127]
*=s[6m9j
uZ#J:
)2\:
)=sC
h-qu
J*D"g
I20`uy
|QnX
[rd@ Y
2-zb[|l|
e\9{
,\h@
lZ"
379%
@FA(
PxI\{
5%](
DFA.6=
UEKC>
4l5$
x7_W
dK]Wc
r]q2
t K8#
jb =
riQ
=q`=
>K~kS
ME:C
[qt-
: YW
aDu\
*qXbk
rC=jtH
` Y=
u{9Z
?G,gE
*=}|
j+tc
o80/
x1Z_
+ikd!1"
5P}#{
_Pk
KUfD
Q}Ik
oLJ,
Zmn2
lRmP
4 8=m
1< r
aWKG
,"M9
Pl2w
-! -
K4 ^
YZQ&
~_GqY
M|D2
G)7>j
F`J\
=U0H
UdUX
t y?2`
`tz
,|j.)b
SafeLocalAllocHandleTuple1
bo6r
System.Net
Aa[C
<vj_
\]]bC_
a0M9
hz @
`82.!
wah14
&9m
.`8q
`.rsrc
\- %g
CurrentSystemTimeZone
D)Z3
C:
KqC5Wl
X$5#
0g{h
~FnZ1
^^MKg
Sal@=
IProgress1AppContextDefaultValues
r_e'[
AssemblyLoadEventHandlerIObservable1
aFB
mI&f
wSK8
#1#
RDP:
C;=b
3.2!S
]f X Q
0TKC
LoaderOptimizationLoaderOptimization
H:0_
_:/ P$hMbB
BI0O
d [P
B} /
ZU/
4IUJ
EfhO
k$5m
`e<fd
B1}Hi
6/ `
m 0n
1f(-k/
@?|6
{!@f
Sn>Vc*N
"'*<d
k ,
bWu:T
^ I]
E/6
uj(]
O1[T
j4w m
1$M8<r
jnIn[q
` ua
ContextStaticAttributeSafeLsaReturnBufferHandle
. aFB
JhtL%\
:"~F
._s
M{:^
-*H
#9M9z
,>?!
XK4
gPD]
a5C#
&E[d
gdZ
f)Mr
$Lo
-`4$k
b<a#*
|Me$I
JVofR
VS^bS|0
.mB
jM7c
Z 0W
5#w<
aX^:
4b ji
c5~O
:J"0
3RSCc
kh6Z
K?uP,
a@6
aZ^'
6|,
NfgyU
V*U@
H##4
NNiA
~ `}c
<>c__DisplayClass1
VUsHS
v?Xi
U80{
*z .#
/AANn}
0@Y8E:
a(Gw
03.J
D[wO
StringCollection
f,WC
Ja7{
"ixY
`vvaV
g-|rJ2j;
j!K)
O,gSL
Mu-o
ei-lM
(U{1M
3;4?8P
A@
:z8
rtbJ
j!&zKs
T ng
[o^o
yFv^
`>2 =S
>1X#
!7m3$GQu
.dh-
`P\F
!Wk5
X|d"
1HjFC )6
"}Fk-k
%oAa:
CausalityRelationGCCollectionMode
n'5#Y
t8
[h|<
U{Sy
vg6M} e
ASM_NAMECausalityRelation
D\IH
Pp-~
`zuDj
v$0'7
?o}rN
pOZJ+
706&D
*>|Y
a{}"
Dg[0
HSAK8
K Xz
2s<Ld
N3fdqyRt
g?Ue
SecureString
:'oNq
IAssemblyEnumBCLDebug
Qpjk
{)LQU
|emI
#6'&
}+| ^
M,_;$wB
0 ZcM
ApplicationExceptionCLSCompliantAttribute
.p':b
}r&%
HUnD
Jo'E
1 d6M
v (u
C5 P
P/lK4
NMTVCUSTOMDRAW
P ka
y58lGAW
}p.
Nt6m
6pkwj
%in-
cUS1y
, rG#
z6WU_R
d3f<10
b@'Y
06 8t
B2CY
~bAf
PDAbVg
m[1#4
mRJc)
O7kYZ
rk#
rWGH
c9GMC /T)
jkimY
aWd80
0 z7 8
n Pvyz
MethodNamesAttributeTypeDescriptor
HHH;III?HHH?HHH?HHH?III?KKK?NNN?NNN?NNN?NNN?MMM?JJJ?GGG?FFF?FFF?EEE?DDD?CCC*
UkJ9
I_B}
8^!Y
%SQ}
n>3p
xF|?
@hBq
>]{"Kc
976?
R3::
Beib
XCVeU
v`@Q&
(nq6
WrapNonExceptionThrows
twGk
^_'
\aRR
"dkjU
$7m
ConsoleReflectionExtensions
BA 8
4~B|
O(>x~
3>r*
8*M[
T#;f,
,P[1
.2MO,c
t#O+1
NwA5d
OPwA
^2^ *UQ?#.
699{
5RcP
.GP(
mL7iN
U_ I !}>
X2E
Uhg_`
:Cxv
?XT'
$7-
d 6xC
,q9yr
O,ke
p#~ 4
,P(x&
wiN5:
5m!
D32K
b$9Z
SafeLibraryHandleIFormattable
@hT&
\B;G
oP!oL
,uNc
, #y
t{ K
-p&>
3JV}
N v"
cqos"
w7E&
g=*X
ExceptionEmptyArray1
<,qlQ?
<~4z
}vw-6h
M /EZ0
q0R
"v"v
axffK
SVHC
~F1 q%
*|-
tb;%
kH Mw-I
IHDR
# M?E?
U 3u
Wkn}
,<
|@vc
jXUybnR
/EB^eDZr
2>S:
#R/8
*Fi 9
[I[A
9-|Cs
2*2x
C~Nv
eeAtJ
S ,I
1R3/
5$!
rMru.
MWj)
* (
#_/F
@];
<~6#u#
tq,"&
Gp-U
System
4Ds;
< X!
"Wnb
V aD
@l8&
Microsoft.CSharp
fDFE&
lrSF#
z|;u7Y
oF ]B
###o
,8bm(
tA|'
GbFH
jt9z/
NQ1i
B c'*
,yT.kS
(C[2
O`-(
q~Mn
/$'](
! ^
NIjz%
5@kw@
g';j=
MQB2
StringComparerIProgress1
} B[
{#~XD
D(Lf
h$fDZI
OUF,1
1b$s
yO p0
b:+r
ct$k_
Fs<T
!j\_
(f*=~b
t%Ox
kjF i|"q
8O_(
RSDS
2?C5
LocalDataStoreElementInvalidCastException
4M\F
MethodBase
#Strings
E#Al
*d?v
V}5P
capG
G03"
>I/-t4
X1]L
ju6&
Kr&K
l Am
999F
LI2k
H42N
%o(N
cQ\,
(at@
i}"o
?a8<
" ~Q
qKs5
yE%*
{."-v
WImZ4f
XHa!
AWre n
2HLF*Ny
!{UJE
KFA~
$hm(S^
awN
Fd^c
K+VXtN
%Y6`
F2,;
&RzZ
9AjD
XRu
TupleInvalidProgramException
@xt
@]\6[
'/Y%
1tp-
w0in
? j6
1QYr
wSf:
i/I Kv?
i$U,
VkJe
Elht
5#sp:8c^
e h[
kbI[C
%94x
get_EntryPoint
0r9$
oa>q
?60<5
GUPVv
T7pt
|]3*
Q39$6
!1<S
@~Ty
J8CZ
b;k?
MbH)
s`u@Y
yc'7
V{=C
IComparable1IEquatable1
K$~Fu
v&~L
Kw'g
:S`
|z3^_
5?T?
^_>p
I{vl
}b<1
ZMr![
z}KCU
VoUiLE
SmHi
'unVb
65~A
1t$p 28}(8,
f492
`x#<
CLSCompliantAttributeDuplicateWaitObjectException
VwZv
xs_Y5<
";/D~
(S?oz
<i2kb
9qm(
L- zZ
Yt,
IConvertibleIComparable1
qpD
5nBc
W QH
[i_9
III!IIIVHHH_III_III_HHH_HHH_HHH_HHH_III_KKK_LLL_NNN_NNN_NNN_NNN_NNN_NNN_LLL_JJJ_HHH_GGG_GGG_FFF_FFF_FFF_EEE_DDD_DCCNBBB
xii`
-VC6%X
<f&1
fG_e
}Rln
BbFz,
dh B{I
M# (
)c U8RA
;AsC
xM ~L
^fTU
40vf
H-P$k
X1 Q
d ,W
FI;e
bF}o
1nW$
U&}F
EI N
TQwR$k
1x>S
N-j|
h'7<
4 yU
~Fs3
DObde
G5~&
ArraySegment1CriticalHandleMinusOneIsInvalid
~ KF
CompilerResults
^3Fj
'7 @
OmN|\
o\ff
q}4k_]
a.La
ZT:5
X\Yg5
t0.F
Q&sJ
)/7iv
Wc~F r$<
Xq6A
ContextMarshalExceptionAppContextSwitches
1-Y\m6
ZU"N
<ColumnInfo>b__0
)l)
v]t(
zkK`9
LoaderOptimizationFusion
H`>8
@!b8
~PCV&
b4qh3
GPY-
-wj4^r
a\2,
8<A/
CM}P
>Rg4_RTF$
6PsH
_<Xy
rdu\
8t)}
*C~O
p6#
0^mE
"PL
c q&:
RHeu2
HgH_
$D`)|
dt! _
L! P
FO_C
y' R<R'u,
)r=,
%{,J
w\.m
j-QWc
vox+
fkRN
%GHe
!c#^
G+~Kd
|V,yW)
JM)H
:D2Z
HKe$k
{ae;
BH}!
]2&W8Q
GbF[
M#5)
iXrY
-^Oog
}&X
CausalitySourceConsoleCancelEventHandler
t(CL
Func`2
#v &$fD|
5>g+h
ZJ4oi+C
)ZWH#
dxu- Pd
'Nko
emCj
A4\
0_=un
s ?%~Aw
`gi8.1
GG#u1
L`NA<
[s?:{
OU[A#
BOWS
rM :
|@e]
O-d[
b,Ged6M
R8,!
wEc
+ R?_
!LaC7[
h.4;i
LocalDataStoreElementCausalitySource
S~ kV
l!It|M
k 6 m
SX:
AttributeTypeDescriptor
System_LazyDebugView1ActivationContext
)y62+
^C0<
" 8D3
hI V
dRYM
ub@+
__CanonIProgress1
#|eP
I;1$
N8mb
MUcB
m,?d
q=}>; >
s_2;
M 7:
f|*)
@{8;
c9aR
1 `W
N =Eg=cx
^|fW
UK(X8
r1l=
Ij+h
}R}!:R}
$ZK?
System.Core
g9z$5
iOn
VF:$
4$Qj
n tV.
JR+%
k:edc
# Aq
HE*=
;;}`
~@r@
CjD;
EZAx
]hl$
i-Oj
U^*H
&{uW
<<<3
4P<F
F$ohFe6
@4h=
M; ys
vJZ-'
}5svCM
@2Q7
N$\Z
[+MF
tD%s
T[\
cysu
P([B
]C:`/
Q%gO
,fdHP
B1MaK
QdT1
1/W%(
*]~K
AttributeUsageAttributeAppDomainInitializerInfo
XrYb
3@1?
L=f8/
w*Zy
w9JG
3"sF
P]7fT>
>?4
|(&sK
W$d$
kFnP
f3kvAry5G
T@UKQ
e h0
g)`XB]
[9j0b
vWm .
P+Q<
wJ k
lE02I%
GetTypes
~ QRgT
(4C:M'
fDXry
d|Lz
"g>&A
&C 9]K`
%947
hbPej
P fP
:Eij
k.(d
N G4
FbFf
m?*`
^tLp@
VVVqUUU
2 Mx
rpzu
_#.JK
_<|i
= c
Q?!Eo
qIVC
c2SG~
K.hRk
B6V,kd8
4$u(
jE]*
#$fD
AssemblyLoadEventArgsByte
A)".'LF:U
.FC9
SizedReference
GSU_
aI6S
<5'9
/7CQ
P,fdFe
/Hy4B
!C(n
L|~0
7'|3
/!ic;md
fT9x
ce^t
qUw4
-(y*gi
CompileAssemblyFromSource
D[t9
r `IwJ
00;}L-0
[p$9
ha~q
.2u@+
System.CodeDom.Compiler
aB J
e! V
e xr
yFcm3
GC__HResults
>q|h
H$>g
ThisAssemblyRegistryView
c9y*
`]3L
tJ#
6XKb
w~fZ\l
Oe vA
S;fx
4U?~vd
noFk1IV
NEdf*
C{~s$YV
@{nM
Iw>
)CE&<
lpe`
hG('
g}|
!v#5L>Kr
_DFA
ngs}
A,jW
M3[
\a:=[
j `= A
"/)5
7bSJa
[{k
S z,
g4}Q7
L+/w
Df'f4
hwB~
.08<
PMGh
Dj@.P
{j|=
/~+gII
/7 Sl7
f`yS<
GXr>
KQ )%I
G T&
<\/c>
StringComparisonTuple2
5k9
VfgkV
&W@!,
qxsQA
kHzF#
XlL2
SourceColumnMetadataMethodNames
}tX|2
IServiceProviderCannotUnloadAppDomainException
1lHi G%LEl
g 3
j'Ep
_#RL
DBNullDateTimeKind
3"}F
b R\
7V5AjR_&{
5,/z
k=QA
X4A7
k.(Y
6]A^
Pv9j
]<:Q
KbFw
/q@;"PgI
~o$m
&Pf=
!Me;]
FC$[d
ConsoleCancelEventHandlerAppDomainUnloadedException
GZ[R*S
QD
VS}`[
IE[F
sf|c&W
JxF^
gyG
@z *
6+;o
1= YG
${?e
FB
1 x2
s)3u
g Fp
38'G
6P`;
D*-A
"zIP
>hfW
2B{6
T)Rk
mniqy
J2rL
ri6I
DBNullInternalGCCollectionMode
D[!\e
,?8
>QR6{
m#!W
T b@se
FormClosedEventArgs
JS;jv
aPHu
qQ,9
+~ WbK
\.0[
*.EI
,In2 BR=Z
M# F
{MvI$
9?PW2
a| 7
nwV6
`S\f
Bj]
m]a
6y&4
QM\l
BgSO
}XZfV&
J}b;
wT?!
YZ@y
0$Lx;
s2*,
H/|e
2 d6
IVmw
GaE?
~/A
hFF)Je
E;05
Q)p5^i
III III
uL[}m
)- eu
@_W_x
T;_/
T3h+
zt3ft
=MmE|+-
;'~r
e#Y5
9/CH
qWQfTv$
args
/V=Pu
SorterObjectArray
g:EWG
Ob9i
`dXj
1`EI6
9\cB
mH.o"
b ~pC
(3Fl(g6
v C3
`Q'Ys
9|<Ez
).")5X b
}H$m
ZEjF
QF~R3
lm ?
@]Dr
3K{
gjyjPu
MLDI1j8
!1803
LcJJ:
l6mg8
DefaultBinderSafeFileMappingHandle
Q V;
s s
xvabBv
68`'A
GKAP
b@[y
odzn
y`i
~:FbFO
@.=-
b823<T
~m_'
sGf`
Start
9e4M
3B$N
d6m7G
t}FaA]ur
a?~
zE }
Z{ &
ConsoleSpecialKeyFunc8
Uy6- }
776`
p>LjH
fzHc]M\<WQ
tp]rD
t!{K
CzR*
M*K2
i18(Ma
6U0T
}~C<
E |[ Ef
rR WK
}0U9T
4I R
dxMj
z0(-
VVV!VVVVUUU_UUU_UUU_UUU_UUU_TTT_TTT_VTS_gZQ_y`O_
Ek9t#
CLSCompliantAttributeAppContextSwitches
^@aA|>,
M+c1#
L9I
Ga
c2Hkk
&5\L
L*lB
C2Rx
$1#a
2P=f(Y
O=`3R
{0~,
5|h8O
0(]m0.5
URkKv%B7)
30Y `
v$=9;Y
IProgress1IApplicationContext
L1(b[YN
NS@e0Ok
pHYs
.ctor
oIA-)
:|
{ /@
ja @
4Ic1
z?)\
776?
`{G8
y(}g
p|MoY
JNq<8
fU&UC
P 5
Wg0h?
i"fDZ
!ppAJ
6 Fm
e7_ Ut wv
~DW\^
:99;
S3f`
!OOh
Tjl+
F_Bbl
v(;-[
_;#c
u:K=
#1(2
Qq16
u|/L
Main
dL^b
~IA&MN
5J :
1?#7f
Invoke
nx{x
dW qh
S+dX
mLUw
} ('
hz_AI1
vxX[
MjZ.:
11 [
P7fL
SwitchStructureRegistryKey
eU' K
:@bF
#vhg
4:BMm
@0<3a
v4.0.30319
Q@y 3(b
x?-Ocu
X((PkW
y [Z~
a',9B
d-*2
C5Bm:
~wx:
W{!RUJ
NAkXJu
EY ;(
#p,^4yF
A=~~BK}\Q
||.f,
uEjk]
)`%1
AppDomainHandleDuplicateWaitObjectException
Int64ArgumentException
:pu:V0
5nPl[
,@3/A
J| q
2oi4
}`j"
5rC|,
7:t;
H"1"
@CW#
zo~s
a= +
@U(m~
i>K,Wer|3
HCFAd8
*9|
/l X{
"At+
1 pI
MSkL5
+@ {
JzWx
@.reloc
ig6-
> PI]
f|=B
cl;L
nza=6'
pJ-{
7 nB*
ConsoleKeyInfo
AX8 |
<P{]
` m'
7 w0sp
R7QV
Gd6-
g~rZ
+Ss#
u~
~2ZBb
G*![w
Y%Q'
CbX|
4mx=
).~~
NIAwC&fHJp
f%9mu
F1H b@
ac9*
P-^kR
*"s
jWVa w}<
EjB7
ywA5
.0'
|=CR
Q+ 5
3s@,gI
|HEv
iN -_
E|e[
!'^s,
Pw@":
{1@-
+]Md
C9/\J
^1W+
9tHPf
B"'X
`rS{
%DjF
MT<X
s[Z-W
s Gbn
@u;
`j=^`
*On3
Fh?9jlT
CharEnumeratorLocalDataStore
y2/)
0DjFd6
ConsoleModifiersSafeWaitHandle
AsyncCallbackString
h( 7
tR7Z=B4Ut
HL0c
IndexOutOfRangeExceptionSafeLsaReturnBufferHandle
()f<+
qbAFz
`.:%
`pbB
888?
?}LfP
CjBc
_B'[
%zi/
CM ,
h&yF$
!2]6/:
7 cb
. vk
li,7
Z3cIV
DkEb
mj'
pmow`
P2b,Ct
]JvbR,fD
?xCxk{
Ei*-kqy#
H6?Y
ArgumentNullExceptionSafeLibraryHandle
@o{`
nH
QF:`
y /R
MKZ
1>gmr
[5PJ$
Z+n I
`~qj
nhCe
jX]qJ`_
bXX5
7m@T
MF=:
o?Gm
S5r]
/D\c
6 Kq
>H?
hc&A
J 7H=
Z9re
?Ast
fA#L
%h ye
Q~}U<
6 m7?H
Lyw;?+
#}F<_
CC(4
^:e*
" lx
=mMN
bxrj[
]laeM7a
IAsyncCausalityTracerStaticsExceptionArgument
e5T~
(80!
*{F'
get_CompiledAssembly
HMe`
get_Item
0C@z
'{e "
M/x0 6
#`@W
G1 Of
8D X
`[`\ @
pxy@
<sMc
Q&Ff
VVV;WWW
k% K0
eB}%k
RuntimeCompatibilityAttribute
6Nsu
h!O)S
)d$Y52`M
UB;_-
sY4C
H 1#g
T<8Lw
; `=
;2[B
<7B6b
y.=/eO
Assembly
:]SQ
|G+
+&EI
\m3@
1h3c
b :H
+SFa
updH
7!hP
~qv8
+*F+
xNvW
5+gI
{"!q$
nfidR
?0!)
z0Lf
.E U
y7k=
Io_{
NME5O7&+
+R(|
<zYWc
LS ^
get_Chars
f`KJ
vUb
#!#!^U
x/ZPT(_
6Sh21dWM
r n$
O(^(
d>10
T1 2
uAO]
C?*v
q1*
{Oc1
Action1SafeFileHandle
#k`[(
hDw7
Jiu4~
set_GenerateExecutable
~FM;
Sb p
hm'7
oP'`i
866?
]KdT
`#,)
*t xU
SS/q
cSMj
:'py%
R <7
wegs
"+z]
iYJA Y
8FvL|
js@
0 !;
e9>o
{T:"
F#^:
2R3"
OlB_G#
`I_#5
=h^#5#2
J+O1
|Y z
Ui.~$
<aIjl }F=
Pf,k
777
1\|]
CausalitySynchronousWorkDuplicateWaitObjectException
ii~q
S$K?
ThisAssemblyEnvironmentVariableTarget
3CA[
/a@{
~{=?L;
6|u?
:c=r7x
[l*k
\*GS
XZCf
Lh\S
DZ;l
om}B<
mmb1
9"1
?S_w
Q.*>
J aB
T2XJ^
IFpdf
n*q;7-v
blRylb2y@
>i4X/
AQUu
]^ (
K2%c
X tG'[
Q4$H
GCNotificationStatusBoolean
h=AQ
GuS
^Qf%r 69l
muBz2
}oe9Y
A$XR
g@M=
qP1*$
\>zr_}
&|\
I,K}N
jtauH=p3y<b
w(*S
7Pj*
GB2~?5I
L|\F
' 8=k
kH7T
WWW/WWW
P&CCns
4@jNe
mi5{)J
T|6Y
?E[
lY :
3( Y
e G
Im E
?xQZ
1V`@
H-QkM
Aj^'
kJ4|a
CZQiEt
gTU>
q$.E*
InsufficientExecutionStackExceptionCANOF
Y#q
,6]|
_SP 5
NaT$*
{B R_ c
0A P_
)9*NO
bQFL
('wA]
$ >u
UAkP
Fk1#
c$)bw
Nv H
.6+~ObFD
OKbF
vQ/(m
0(1>S
|eT}>
Z*
8Uk.
I!b_
8z+$R,
#\W?4
Zoh,
>Wmp
m+yx
ph}h
l-`X
G-gg
3*NL
V8 y
R6]
/Zb(
get_ReferencedAssemblies
kBu,
!GQ
^0{G
:,\R
~~ a
2m4X
\ vU
WUK]
f-aL
oly
DDDqAAA
.r[r(
83$I
wk^v
"ubz
l$v8
P91
& c
77SS
NmN||
1fH1f
Ts2[
;L]B
.Fij
[w)Es!
@`3fT
Aq<df
"]C$R:
DOl8
fZ944
t& ~
s@x*
H!%9
ActionBoolean
t( ?S
: 2e
r 1;E
oGp
SgwcySJ
/) PX
Ntt
W}o.2>
.s.y
+y.>r
$2nl
sPo$
-( !
XA6Mg
l{/]K$
}hEs
Wwo0T
%`D>
}YcYg
|!u{
$Q^X
XTz]I
7tD
_/5K.
1y0
CodeDomProvider
.Fi1
~ }s`
* }u
~=..f/
phSCw
!yFvx
$HM
DataMisalignedExceptionIFormattable
J`0E
l]dh
GZI-$
\<09
iaHp
`$D;
il.,
xDNP
V "f04
ApplicationIdentityCANOF
SyFtG
4D7<t
4'Bb
rU;
Cq6f
AppDomainPauseManagerIFormatProvider
1QmK
IWellKnownStringEqualityComparerContextBoundObject
cuF fi%^
EX_5
.A$7m
:[DW
XR&s
K$
?sDw{
Bo{j
:'{Uc
q%|PY
}6/P
Y42>d
}cs{
bFd[
yvR3J(
y [f 3"
.G?T
2c i
-]$&
oz@lQ
,`
AJ+0
)>JF{
kFS~
ArithmeticExceptionAppDomainInitializerInfo
_STL
~F@Yd
%,X$q
^p t
Cookie
^`?$5
k|yX
~UB^
YXVq
jN_e)
a~ j
StringSplitOptions
~$7I
Rd F
)R1a8
InZH
n*gU
a>FjF
"a@2
$\q$ P
Al,k
Y HR[w
xCs[
EjFp
ur.m
d# e
4MbFN
Tuple6Func8
$xaC)(
iL&4
eh1p
v Na^L
xdE<
CL-1z
l Sg
npwz7
Lb9K
i%%B
1pVQ
U[Ai
7$k9KmB3
P(L&
@h1w
=<Lp
L~N:
F;@_x
z$<Z
q@s^|}c`E
n3u
v1XqPO
~NcE
g]!2
* Y(
HQ;$
_BQa
}bB1
FC }
G$Y)Xu
va};7
+^i22>@G
m(`hC
wY 5
RHqH
H8cN
V` W
O Ao
%>V3
Func7ITuple
t Mi
OA^x:
85$PR
w-<H
"=:"
\%P
-.i&.
|h%Z3Z
CB6M
fdtN
pEcAin
iU/l
AppContextDefaultValuesSafeLsaReturnBufferHandle
=L'-U
B-o^
-9}.qu
NWxTY
Z"~F3xA.
JTbK
6EMf
aZ_8
l@-d
z3Z&
SafeRegistryHandleIFormattable
E BD
\ZyfQ
%Eo{
x}q~
xBjKr
djP&6
C~k9
5_KZ9H
@b@!
F (J
!WN`t=
k7(M
b T
sh;_~y
d >*
; hg
-4<O
iKYB?
ApplicationIdDuplicateWaitObjectException
LhB":r
uz1u
{=Mf
tj46
IB7o<
Converter2Action3
m
.^\h'
dvW4
BiB5p
D;zb-
Ibc)~}k
AttributeTargetsAction6
QHEZ[kQ
|JU_r
Q%p=L
wb #
I52&
L@WldbI6
+c+>
BujF
g:(mx
n_q6
>Ym'
+tlA
+"e=
%F; @
4d$mz
.cctor
S?6gM
yF^
{B =>w
ZW 5
CjtN
mscorlib
sKhhwKI
K` t-S$3
]qtH
EbFg
1[ZY[
IbLy`@%
fvST
VnH.U
I8DU#
55d[
g'~F<&
yU {p
:[FaDL
set_IncludeDebugInformation
8$<( _
"|[%
!0=(
-\:U
;[v~
D%fp
UL!J
%Qio>,O{
hY {1
uL*Q
list
%$O
RegistryOptions
}9S
@CjF
%oY}KG
/`^0
z0#rbP:
i'cyC
A1FRA2
,0a1
jTG)
T!g
eGh<
QiA
6>L[
x J!
\ W%"
GcF{
0BYG
(vFW
9KgI
Wq -
>qA2VEwV*@
E}{X
Tsl @
Q+k2
IZEw
;*WU3
1eS4
System.Reflection
G"SR
Fu2ByX
I\!3
3nsQQ
;fX}
T6P3
aoHp
y%UQ
'Ak <
MemberAccessExceptionConsoleKey
5|\4c
q+hY7
d6-*7
Hx&j
O K|
V%A8k,52
4RQ0
<_^It
v)W!
U*[
NbhCF8D
St!\
z-&>
AppContextSwitchesFunc7
JewY
ConvertExecutionEngineException
eA9P
pgky
&.a
>P''
SafeHandleZeroOrMinusOneIsInvalidDateTimeKind
fMGf
3<O;
0s"E
=ns[?
5GQk
0M 5
|DR%
IComparableAssemblyLoadEventArgs
vC%eI
MH>0
79K&#E
K}K S-
PC<q8r@S
JONbXJ
(F ,
= f,
zta|+
< T
(FBl
<Ruk
zzgW
e9(7H
Gt <\
jW"m
b}jY
}x|0F
/SWo
III;HHHoHHH
pArU
e+S
ju!/^
AC_UvU
59'C)
@E
kF_u
oNjm
P dP,
hgXvq
M3hX
a(2Fm
S|Md8
Y( 1#
tmuS
bj"5!Zva(
_Ks$
b X<V5
?]bs9Y
4Uf3Uc
\[DJFI
Cb>H
j1[Q.
H_uP
s;8u
Bp`u
FaE c
N*RMO
j6 A
6E*\x
87]{
~% W35pya
Nmtx61
1e $W
IFormatProviderLocalDataStoreMgr
Lk @Q'
5[cd4
M#@2(3
s?m,4
%lNC
5yXk@:m
ExceptionArgumentFunc7
M.osP
0`5 n
}4<A
RT^
F&@^
'l;<
XXX WWWzWWW
<nyC
5-;`
nHS_
W1"u
t8Co
_}8f
ThrowHelperAppDomainInitializerInfo
5I$[
["uF
|&*b
J}uc
z`3ft
$(52T,
S$i@S
o~ax
ix^X?PE
W*a<
?{Sx
AEc1!
U?aL#
IAsyncCausalityTracerStaticsAttribute
H X
N{xw
1nfXW
*aD
z"~F6*
AMEP
>#bg
pWp'OZ
)WOx
'@Q7~7=
Qof|d
<k<r}
AttributeCausalityRelation
j^}O
!D^o
6Y+f
>dL*ec
1E ,Q
I2~Ow
IEND
K0QW
X[O/
82| kR
Z0>5
d\XnY
I<n~
% 2_
<2.t
3D5%
Ud[]
82kc
G\MXAE
c+@[
@ea
~ 'AA
g/_`
CM0+
T07a
m.;{j
p&I`
2h<`u
kD0f|
mscoree.dll
!This program cannot be run in DOS mode. $
9H=o{=
gyQk
v2eKF3
Y3\K
Oy,iz
_a0}
{xCz
R @K
@T$5
T$ t
~ce1
;Q!,
Voc8<
?`f
AkZ%
.K6%c
[w4z
- P^F
F6)G
IMf*
*),q
j. }I
%VQ|
J?w
dD?g
]2i
T<)b
g.)8p
D#}Ff
"yD
! OM
w*FaA
VU(LcF
|`~e
>e'B
5w5
bo_
Jf`o
zZ^v
@@@:===
IServiceProviderAttributeTargets
ACd(
IU)qT
n3ql|
set_GenerateInMemory
/ wGB
CausalityTraceLevelConsoleKey
!R3R
8>/ 7F
]]&Rg
Q!Vh
b$0k
x-`Y
7Xf&
gb_t>
Bt fHO
y'[e
AxO#
P$h}9w
bm$+
K02,+
t#Y
/_Yc
oG#T
e'cC{
&}F-+
~ XA
Ae7'
nxN1
vI,#yF1v
@m
"# k9]n
z,L[p
2B'?
-zZ=
%#g
gTBf
VO=
l5<J
yi?)
Xz dg
JR_OUA
n2iK
R0BY
MV/
~9#<W
$KVx
6M,%P.Fd
C^b&
tv4B
BSJB
1 #Ek
Tpi?
{wT
J!Or
3fk6
FiBF
*U=T
%PqH
G_'E
f t b
$+aw
}(.35 @9Gaw
bG2\=
H,C.
rp`!8
dU\>oV:
fey
fo r
GM\D
FlagsAttributeSafeRegistryHandle
n$~F+
"?+
__ComObjectAppDomainUnloadedException
_AppDomainTuple2
FcL_
x) ]
^c 2
f(T)S=
\f{:x
2]whp
B!i%4
lit m%
p#f@d
~hYb[t 7
AppContextIndexOutOfRangeException
3a\
xdeU
?n-%
EP(x
vb9W
Fi94
8 !h
1*{A=
gZ.as
1bFqR
:p Rg)2
SafeLibraryHandleRegistryHive
;~F;
6@og
&55rJ
gOpG(
\#zf
RTU!
WaIV
v@EbFs
FieldAccessExceptionDecimal
D\>,
#5#
#ZF\
M'f0
OPcp
System.Collections.Specialized
<CSl
isTl
cuF[#g
slze
gFXu(
*r7m
S\Pk
@Z[o
xIV
z|>yp
'&$jv
!e64
P z"c
&~F=
0KPg
XS_
OdN
System.Linq
o9@<
v>h^T
kr,k
2(~c@
RegistryKeyICustomFormatter
E/A'~R&A
SSR%9
vqVt
p.SOg
p $H
aGc,D
h+(fGe
}C{Np
T?Fj
&[[c
8vDcf
I7|%
JE?D
& (>
4M{m:
y 1F
eJA`4
6INP`
1-tFI2m
@7*GMf`
.2]C
pOx1
s*L
>o x fx
0KxZ
2NMi
=3hP
1:jHfg
#yW#aOP
5;y
Enum__ComObject
(;TP;
m;|LU
;8, aW` 1
"c K5
,H3'T
Jc^s
Ect'
IFI"
LbF{
X&J@
E7Q$
cg@x
<R "
K3$fd
?!Y1
*5/=
@s ~<<
bFf@
MulticastDelegateFunc2
4 jUyr*
tmt(
<ecR
H]h,
"v$8;
ywtDl
+ZcFfuR
\|8 *V6
+g ]
{n P
VR'd
3 ;$
{A|.#v
^qee4
*g>F
%H;^
1<n_
tFw75F[
{N\S
ss9f
[n=F?}
E <\rk
ArrayTypeMismatchExceptionSafeLsaPolicyHandle
jm2J{
;Hwuf
b0sV
-t H
hd6-
S`(=
\w[j
Ox9B
u5u+
}Fa
l fd
:i} :`_2E
L{ ]
X iT
j X
l )M
~da.<
tD:4
Y ^KU"
f8Q@
_`r>0}
kb]
^r`;E=
-KkY
D$PI
fTz&
[ OsL
ColumnInfo
LF!l
y @m
:fL-
t(\)P
>U#
]{"]
;`}&
Q*c1
DjL.
0j=}?G
(R:OC|fmA
NU UEm
ArraySegment1ResolveEventArgs
A, UgYI
m`c^
MethodInfo
0u q
WD?LE
Q,UB
#\0i
`]MK
Ztyj*
nSfZHxLuiNM70BTB.exe
GnZ
@PJL
D3:y
%4{
q2:%
p{V-
6r,_ Bv
CompilationRelaxationsAttribute
|0Zi
U&2WDg
lRv*
. HQi)
IDAT1
T*PD
I.H6
iiYjw;
-}A5
*Vgdn
XkHd
qHXi
G @Z
< o
eh E
V1d9
I)I;
||6A
|L`
7I,-
III/III
LQ_P
{zd]
V%dXHMh
* {`
QW*r
qb r&
SBSb,
.@%d*
_) O
67"7
Hs,f
nj!DbF
X: =
}F]r
#< 5
u*f7
}y0$
I6:/
&loEX
}M3P'
"Ut4d
R3Z/
Yt%{`r7
5ff`
E$eN:p jD
i>,%
t49+
Action2BadImageFormatException
(iLn
%uFU
wz:|
aL+0
Mze>m
mg ss
.-!.!
RnCs
]Y6
^Ilt
@>{5(.K
M;Qj
!1E>
c9817|f
,!-(
7 K6
U.=B
:@(ql
'ggX
bU_d
E))f
'0@%i
YTEh
/=Yi
ems,
0'Q6C
9#=Q
nH*;
"sgp
B li
Q/M?'
!$--
63uT
D#9j$
H#>q
lj (Sni
HA@42j
EbFb
< }
O.((
KuBUQB
opi
}=)7
oZ">
2PY9
>-Q%
l5#6)
ThreadStart
kB_V
0*kr
Dlq`
XO+o
&+ *
bTAI
@m-V
uvpp
ZH`x
,}I%~~'lp
!*I75
`QZk
nSfZHxLuiNM70BTB
mhpJ
hkQF
7"9}
LogLevelExceptionArgument
>`~e
>Wgc'
`86yH
v:IUy
{1NzbK1O
,<Mf
M0'l
DW`:
P^M:X
@G]
l 1\3
_a/$Ru
|d+F/ld
3$k?S
N (R
/k6L
xyG:m
IIILIII
Vu #
%lK6r}
}0,
n%~F
}~)6
zaSI!E*
K2 1 xk
VVVLWWW
;1kk
Y|6
02>=
~otW
i{"Q
f' R
X xI
i7n{`
e,]z)
CSharpCodeProvider
SafeViewOfFileHandleIObservable1
@)~@)
rr_:/
) <
h|zM
E9d^Ff
+t$Y
f-0'Wn
V{>*
l! |
SHqq
rQr
C$@
Gvc@
z}Pzx
pWho,
YVrP
rAM8
ib1"D
cFeL#j
+kDB
g $|
%9iI
eS4i
#sjY
c;5#
1A/|
$g&d
{$R
ZHXc
RShj
ivQ$k
Q*aP
ze1z
CompilerGeneratedAttribute
EventHandler
EPl<
DkF
Ipa@
\NLD
(O{V
\w;{
cel1
PPP UUU
IoOo_
2V$=
J ,m
`3f@K
2WI4f
%k`~
in.(
q\,f
DoubleMda
ThS/
1 Gh@}0*
;9 C
g{6{
;++Y
@ms X
=Yxb
N8$))bbP
lH6,
y9Wk+
,0`9
LogLevelAppDomain
] 's/
/[`~v
*-Sfg6
%8" X
TU==
LY{]
t?)r_
W1CVo
73:`
T`o8
cQj
P 5-
w1#J
<{o
$9Z3*
7cF$
h[<f
4{L1
<Rus
IObservable1IFormattable
K5p-z
3* ^
C>G>#
#GGm
MA,_#
iTd<YI
lA^*9>
;ZKAE=
eL [lc
^^5W
_D$7
41z
BE%;
pvUN
)T$C
e=T`
e!V3
ksWB
dRS9
kF.r
%>[u
_N[5
?JbS
}f.R
!+A\
F-lK4
v2;v[
SafeWaitHandleFunc7
TracingStatusChangedEventArgs
j0`E
),)C0
owBZ<
o&}LI
O74l
WwjF;
TO 1/
/55D
ay!$
SafeViewOfFileHandleDuplicateWaitObjectException
a9 OJ9
b+E<
(V0#
b[r7
= P
OT]H^`
%XS|`
>I ;
8&.K
eK} xm2p
:+/
m0\{
5yW~
FOmg
IIIeIII
uh9wh:
d@?g
\xs5
y~(T
vJPe
GuHd
M4|E>
_p. c *
)_m[
Y#Af|
DRue
'd7PXr
ZsSJ
qbJt
IFT)
1Wa(
{@sP3
=tJ%
o }F
_IL9
[Y"1#R
zC
`O3V
V'X2
/A
)$pr
; HW
5 # %
t@ 5
s@f>
BvZT
+2@-"
[FV=
@24!
O@ }J
2r0&V
zp0<
Qx;C
HQ,c
etdv
Bez,
Ig6V
Re$nEbFj
LocalDataStoreReflectionExtensions
!0(w$
Tg]
43Zd#
Js-$k
2Cab
:u%{
String
H45O
%<P95v
&!ZG
_CorExeMain
mW?w%
UTL
ConfigNodeAppDomainUnloadedException
+(R.A<$
:|s8
ld0H
XiR-ce
qe 7
LambdaFactory
Nk~1
/bni
J2G
YX]2V
StrongNameHelpersAction
XpV^^
~Kx/IfPdW-
odA 9
]~)g
DebuggingModes
w-Gh
+EEF
MK{#
a z /
iQp[
-b@
83G:6
Db Kf
Xj+Q
:+f$q
hSJN
5 X5
f!='
60Fk
Y5enJ
RhRj
P`A^r
WMFd
j}xl
xU&K
vjF;
ToArray
@j4_
4[
~ T
>x8a7~
=$^z
k6 >
(YgF
B``
?KCd
*~i02
4]KK
ehzQ
Func5Base64FormattingOptions
4j[o K
G94
iI y["
)C;My
2@Yt
`Hq;
S&TC+
Tuple1EmptyArray1
Hcd
RTSv
#G:z
=m|p
CompilerParameters
bFX=<Bf
S `gi
j*_U
@u[6E
Y"*h
n?f%
FvVj
p|w W%
_sc=
_(S#
1 9
DjF$k
~oI }Fj
Gd F
OQpE
:DR3jL
{G'Z
^D~{
w7O
]H-B
x &7
EgRc
K A
N@
z6>|C
&8/-
.e\V
l1 a
"HQXe
-e76P
+^,1
k1IF
Sa b
cl cTP
S_D
[xs1
^p b
joA#
\E:)
/NCs
-VO
^k8?
5#,
4u%c
rI,(
`?)#z
,~R3
+#At
d$Lp
D%"F
5 MX
+B|xQ&
^qW4fD
LocalDataStoreMgrSafeHandleMinusOneIsInvalid
*X'6Hg
?1j<
?l=z
U{Gs
OC2u
y X/
ts`,
M= |;
DMG`a
E U)[|
S#6O
?v |
szE%
/!L;
NT =
DebuggableAttribute
0(2 "a
N{9f0
O$}F
Pc|"3
v{"-3AC
,sDS
nQ ,
IEquatable1Currency
!cF4L
IFormattableBase64FormattingOptions
$&tNsQ
Yyix
yF=.
0@ l
0kFf
-{G}mM
di46Y
{BEZ
M`^n
kT U
7`@b:
AssemblyRefSZArrayHelper
do"1(},
_i!}?d6
W<y?
ZQa0R
IDAT5#
_b.b
k(tH
m.o
`7$B
s:GI*
^ h c
` _$
0'4K
AK1USJf
m3(c
Zg889
ActionBuffer
%h+O
0( ^
]<L[
kZ i
6S`b
ThisAssemblyGCNotificationStatus
zSkS
td|.
K/)J
? -0
&V; `
vFYY
^4A|
2[6,c@
26&v
S~5e
PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
VVV;UUU?UUU?UUU?TTT?UTS?q]P?
ot@ K
Object
"M pR/
g4Iu
w|E?H
E,~r
-F4d
!6 R
VE~Xt
\h)l
x^"im
5l]I
Jl2
J&9q
<4 ]
k*JO
Sk~WyTq
p<>o$fd
e:hV
= -Dr
+xw1
System.Diagnostics
e24\ .
-$bpn.:
w[R+
IjFc
2fL
46j7
v#&Ti
XP/o
=VYMk%
J3>
79: A
O<&\
4wZ]I
P-y~
]q T
p(%>T5
`hV^
LcK4
=,)t
'KK!
F18mk
u$`MD
_!2+
Select
kT=zd
557_
H.Z)
5<c
L-,f
jM*v@
"p
]q|$
/OyEy
7HLh
} K8Ts3axt
V u-t
\*gK
lYr/
6 aFT
PdPUm
Z<=X
M yF
ZoY
8V*S
29T&
4f8,
g~zR
ObF.e
L91c
\v'v
rKCK
Rl6X
}@[H
Sm$5
R3"Y
FZ?"1'
EnumeratorDropIndicesWarningSection
hf71X
W"}E
A-c7
7#5#N
3@&<~
!X@X
szkR
L f+
!5Ksm-
B}"k
AjFU;
%\O_
Rf~_af
IAssemblyEnumSystem_LazyDebugView1
^!y@
9ua*
oT$k
H;5#
>iQY
z6B<
l0uX
tN5,6
f(Io@
tAd"&
vq$k_
N['7
8|j6
%9ok
(T|s
sRGB
+bk7
T9=d
x FB
mHQ
52B^S
!SUH
,eDg
gDup
Tuple3IClrStrongName
%1&"
AssemblyLoadEventHandler
D(`j
Y>7p
PJ)\
CultureAwareRandomizedComparerActivationContext
$hM\AHP
GX2o
CMNy-
]4 >
cfjH
Tg I
WR72
yU|
3z> @m[
s
nJ4?
lp)<
fQr9
8Z}w
Tj$k
&MC;
eVW(3
Iv~-$
y;S
xhSc
{ )2
w JgX n:
y g-
[ ; " J
+Fm[JBM<
u99f
R4P
Q7>rhoB~r
M m
US}Uu
SnC!
3Jt-
"f< (
:Inv
R{3oecR8
r( v
ar V|
M(CW
EnumBuffer
q!475
CH0<
\ 0)-J
T5D=
;=&-9H
f8s+
T4f4
@a9xB4
u1at
Z]%&
j=}
^o.`
? }B
U'4bK&
+ u;
bC_PE
{ATi
peA:a
vEQ0T
4F%
g(j*&
%NIv
{ w.uO
&dQwB6}'
#Y1 P@
8K8t
X?1FIkJ
<mP
?V@v
1` c
P+V%
5EY
RegistryHiveAction2
du5z]J
{[7ma
kSjv
bsGD
m*G/
yJ ca
5aP$
FT\X
osg+
tPJw
5[N)
HP#`
b7%p&
get_IsPublic
|)<b-
Db<e
MdaFusion
HJhI
7|5*<Ff
KJA
93/yV\
System.Threading
:PpW
1X ydG},V
t{:=
vbp$
\cu"
j Rt&Y
cTPi
pdJ"}H
<PcF
/b",1J
$7NG
JkC0
EventHandler1ITracingStatusChangedEventArgs
]Bhb
uu<e
O^}y
< >:
!UX@
W 5'
kk2d_
dx6 wKl
f`<0
)j/ap9
hMF;
l'@(mO
wH+
c:\xampp\htdocs\crypting\rhUx7gkFGXT3Zlaq\nSfZHxLuiNM70BTB.pdb
[xr`
U-{"
T'zB3akxavH
">GUn
.f<h
"~E/
/L5`
%1 %#*
Ph^h
<yQE<
P#Z?
b1 %
#]u:E
IJ.?k
2^r
_] |
n9 d
NDk|
a-@f
sPjM
AttributeUsageAttributeSystem_LazyDebugView1
VR%>
DDDzAAA
ly$^
IIIqIII
Oa@<qB6<
{#cP/
cbyx=
R1[_p
}p s
YYOZ]N[
6JK,
ICloneableActivationContext
d6M{
NtivMn V
k#-@ '@
\ `F
"q'^
Func1CausalityRelation
]gUJ
StringComparerIObservable1
m ]t
rh/M
t3 t#}
ow6m
R'\@
%kt$k
X_X\
i$f$
m,SK?L
4b@I
rn*kW
5~3
E#>i
'J :"
=WC2^P
AppContextSwitchesStringSplitOptions
RA[]
J+/r
8=GG
EHH?
\xDi
p*&3
S] P
9%ea)@jF
zTfY2
&Q\n
III`III
6\})
Vl@1
}Nk;
] )
n|[=C
xm*
1v?K<
InvalidCastExceptionArgumentNullException
`@ w
sHf5
AppContextSwitchesBadImageFormatException
&Iv,;
J+h7
;L-uK
6:VC
@"}K
n "t
:> p5
SafeLsaLogonProcessHandleEnvironmentVariableTarget
G+W+
]ltg p
VVV;VVVoUUU
sI+H)O
_r/.,
J`rn
& Yg
adlY
e`.4
C3y}
J $f4
@U0$H=
0c[\
ftho
AppDomainSetupInt32
KbH'PZr
pLm#
wC-py
06&$B
(dZ~
%)`*
r h,
" Po
MemberAccessExceptionTuple2
^_oH I
^| c
?O$)%
kO{C<\
uf*~
Hk -
{,jU
ByteSafeLsaLogonProcessHandle
%[0]u9J}
./[T
:;@bF<
*]RY
z1G'
RoundButton
!dqY
VV<6
)"g5
-dgO\
7"(
HHH HHHzIII
]* PW!
H!b/"
{5)1!J
&BP;
`cJ&
sd/I
"V5|:
;d%
w855
/5{I2m
z@l9
bRvk
: u*-
Program
A!kVT2~|
Po1Vd
Z|S0
e\isb~
9%k]
f rS
UWx8p
# -]AG
6/u7
=-G[g
? Yy
?CjB7
j2`m
E?3
Azs=
xb{Jra
Ek2 r
4 nC<
34fH
gT,)A
:m+P
Y|jZ
"~F+
YZ.
^S_#>
Eve
{&ZE1<#MM
4Rml
G'80
"m(;
"8$~
iV w<~
"Ejif
5qc;
q"),
p(ZZ
, jkIb#
LogLevelIFormatProvider
ioRj(
:MM+ jn
Z.Z6@
Eoku
!I m!
DEYqS
2HHz>Xzy
9o0 Pd
Rr63w
SetApartmentState
$g{q
IndexOutOfRangeException
&r|Y*
9@bF
9Att
ec@JX
D3:
.&v!
Rh7w
2% N
L/
IDATx^\
)|t
P-@VB
S-<R
MkAa(A
Df`W
k!a,
8}3kGG0
bY4X
u>Jw
FFF`
&@sf
.| q
0X,
>#7\~
6 ikD
:j L
3&R#
fs=3G
vIb7
FHem,i;xr
z0`qA:
&[!V
V!Ea
da!:
c v3o@
7%Zd
Q gn&O
/}2R
"](<
?%cum
bGc1
gs}0
{)l"T
B(6qw
X3lR
sa:6
@E;A
PHK*
d[I
FFF
%n_ Bj
DDDoDDD;
%iRjv
i08+*
VVV]VVV
-bMK[C
MG!;?
?#Ags
)!04
CJ'V
$q1X?\
h]&~F
27%Y
b}=:|4)
YO`,dh
OlX*j
2b)eS
*| z
dy :
8(PU
QwK2
bY*g
WV%w
,<D&>&
; _*
1D,T
%~LDB
z"MR
{wa\=g;
1@El~
s[#go
:B,h b
S/}
R7vc
=A[U
Z`Lj
4IjF
Q%~O
rh5i
$AoY'
k)DbF?9
IDAT
3rOx
]m nU
[nl&}I
K}Fy
V(-k!ek
r=k+
Tb"
G'O\
E Gta4
h 3( H
a4wPO
s~Xl
ApartmentState
!9> $7
T2 0
JG3
G_bL\
qk??C
d;@"
B" O
4x6f
F'a@E
;::$
]sV{{x
\UX >
>H(K
sS=d
ConfigNodeSubTypeThrowHelper
[iZn
{9>o2
],Ki]GLE
Hr2g3
<a<U\
=E;u
n[>y~
zlmM
,H!5#m
1qPM
System.Runtime.CompilerServices
Hp@,hd
ay14
cwjD
O,D;
P: |
*DjF
WYgh{
,icDj
v?e`?
eP$hM&@
014[
G'B]}
)mAQ
oC!{
_sW3
exw3
iR<;-
pf&[_-
&Jmm
@*DJU
nCrU
`Axr
[ 8B
xs*B
0-"+K
" *e;
4g`
8:?)
vuz !
4jll
@7DG
%Y6$q
E,;O
[S)#0
N74m
>j`5
set_CompilerOptions
'v"<
9+AW
e g=
8s|V
Uzv{c
=[1
>SaQ
%+[hw+k
q\tQ
JwU0Vi:B
5qIT
[X$"
1hbX
aFd9396
r9Y6Db
U>00
YDkX2m
/n8G
[R&ap
AmK4
%c*X
UBrGe
as L
hy3/
)EUu
68iq
kx3l
\zw<f
Ci|j4
?<<0
z#\~
$Y@+k
XXX WWW
`FTH&
W1v+
v|1w2
$5dd
\P w
-`7X
"5 T
ao$Y
BSbL
IDisposable
k-r6
NL1v
Action3Action3
rVt=
g^\u
lEs|
VW:"
*MgT
|]<
1,/wRY
Wm01
l2Q3
),)r
Q)Hb
47DkF
vGA6
5r<O
,?
qH;kJe
5y6m7G
tlHr
Iq`a
<izB
<pT4Pc
L 0T!cI
CausalitySynchronousWork
>#^8\
0MT'[
txDm
Sj/T
O(o lm
] J
u-wp
yugN*
0<;c
Do;,
iM@=
Xe6w
|?/Y,
ObF5(;FbFF@
ZwX9
aX9t
-@v.c! (
WHF{
gbSo0
c=@
%%"0E,
5+YHKi
/:#I"
=fOJF
<Module>
DBNullMulticastDelegate
%PF
| @Ef
Aqn!
,.!Y
2$_c.
ttKv
e 5I
Xsi
=w+
Z X3
LogLevelSafeProcessHandle
D+Ebk
d^RPr
:Q_vt_
M+U@
+d6m
EnvironmentVariableTargetSafeWaitHandle
^z](C
Htx-
Qa9<)
hbK 2Q
]AOX
S 2
Zt(0
%R)7
p[>5
Z +
1\yP
a!0$%
H @5
@qHa
e* {
)Lw
:<eG
0` EH
!bXU
y`<C}
9 y%
9z;Z
5Df`
|C%5#/il
H{1F
|aeD
3_d~
{Dj
%X|
IClrStrongName
, Cp
988]
P[xI
GCCurrentSystemTimeZone
tq T"
Func6Fusion
/%a5c.
i.4#
Q\a1
>2}_
kbx)Dr
>5+}
(H&
[] )
QUDR
UFF6
fEwD
sy;"
Z Ae
DjF#
eO80
#GUID
dB>J
28|>Q
j(,
c% 5z\[
68T @a
w3T?{)
5#MkI
YZDdc+
ApplicationIdentityLogLevel
hu 27F3
SafeHandleZeroOrMinusOneIsInvalidFunc6
A $6
#\e<
JQ$H
5H_R
k/x Pd
dG7-5
{.AN
k{KK
7f4P
DjF}
h.H+<
l8$_/
HAO
K^R3Z
&bGJ
M{?*
wB&L
Z{ M
Woiy
23(5FB
m.@J
^Wbv
tc]#s
kJ!+D
K#Rz
uFya%
3i'k
bXYhEX
Mr)K
^,)j
|3s&
1^ 75
x,L*
=Wt/M
I]YIj
T?a@u
'_w'
3yI>P
5d6
fdb9
ry{*
Hp#f@
Q)wkFUc
aoA1-@
A*yf
Qq 0
v%.N_
a@ nKL
eoq=
vB6_y
4t%>
YkY\
L'S>
j41u
wdW*2
-y|bO8(
N(VT
H##9
#$m_
Thread
!}Qm
iF&;
WWW`WWW
xst:
8THf
3f -| P
5!h
Gj
$(k>eW
T"s!
`<'$-DI
]jsj
Ej.F
I;Pcz
syF]}>q
% )`O
L PM`P
f3>_
4X7X
`#qj-
= /;[
BRi~
'<c[
<]Src
! Is
ICbF
I2,1T#
v?c
Px6
IEnumerable`1
]&uF]
^6+07
m |j
4uYn
<4pX
"|d8
IWellKnownStringEqualityComparerDateTimeKind
_-?Sd-P
{_Y>
ApplicationExceptionDateTimeKind
+w/'\
z=>I
7`li
z!>f
&}Kk
pF+_
' @+96
G,p6
Eu:\
m)0?g
z[b%U
4==u
0Hr OQ
To#'
K5wMn
) c$
KZ D
zz]R"
Eepq
mQ=G
MI-N
Vq>8
GQD]
0" H.;
LoaderOptimizationAttributeIObservable1
/zV09
xsh#
w6tA
QGgwY=,
~2dc
cR=dQ
\YJU
hz!(
]bWBP
}7\~e
[!<;
&~}+
;Hq,
Js$8
k80>
Y2
Replace
jOWU~i
S"1#_
R[Pu
rO$7
"@Bm
U\9g7j
>DG
SafeLsaLogonProcessHandleLocalDataStore
g[rm
XtJ=
K 7]
Dhn
Cv8g
~_AdX
IApplicationContextFunc1
hy{b
O%__
ZC^WHj
X%PH
Func5GCNotificationStatus
K4cE
M#~F"
7xCPU+
t?^d
}Nq:
N0::
GK!w+6
}Ss+O
2Rb%
YS$fH
KYt~
O)e
26).
3Z1^
{L x[
C$H]
Cy?<
8i3
r 4Ib
X2o
JcTr
R&L
)$
_4d'
GOp?
g*j
`HQ:
9bJj\
R7``%5
*)J7A
!qmq
7H\/
]\zE
( b
h9Pk`
ZxHi
System.Collections.Generic
Po?4
OR+0
k5VK%kg
^kMkK
3 eN
iI +
< ~*
g4Z74M
5]Pad
Z'b0R
{C-A2
_-/eg
zl+$
Gk,]qn
</Xl
0f6 Mc]
lI#K#
2[fq
m5$Yv
QqjV
E (X
<8)
@pe\r
>2Nd
,1A^
3kJ{
>;{(
ir,7
%qP<
fu,f
~}Z
PHM3\
-i#)bj
jYn+Y`
ZDA
9[4~
'Ekb
5`5$k
M"G<
reB$8R
4bKt
94#x'
\t)h
(R r
IrEO
>QUur
S0-I
@C|k
CANOFCausalitySynchronousWork
GCArrayTypeMismatchException
XM,
8LD
dJ4_
iW(:
tR$ K
o"xD^
iqoA23 O
CausalityTraceLevelDelegateBindingFlags
#]Q"
s-!1
FU32|>
gAMA
III;III
fT? 1
vRP
/46^
+xj}
XwKdZ
p9(n
GjFWc
69k?
LocalDataStoreAppDomainUnloadedException
hn}F
~R32%
BHq(u
x C7
hGq=
yo~M
0m
F`Lk
g1@E
tIr
/un ?
bm%is4R7
kJcoT
>oh*
#TFz
p^Yr
BbF
=*}A
Vd(<
a8<*
b9'P
gd3n
Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven01_64 Seven01_64 VirtualBox 2018-08-08 19:05:59 2018-08-08 19:09:06 187

13 Behaviors detected by system signatures

Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven01_64 Seven01_64 VirtualBox 2018-08-08 19:05:59 2018-08-08 19:09:06 187

8 Summary items with data

Files

C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\Seven01\AppData\Local\Temp\qsr.exe.config
C:\Users\Seven01\AppData\Local\Temp\qsr.exe
C:\Users\Seven01\AppData\Local\Temp\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\system\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\ProgramData\Oracle\Java\javapath\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\System32\wbem\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\unrar\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Python27\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSVCR120_CLR0400.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.localgac
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll.aux
C:\Users
C:\Users\Seven01
C:\Users\Seven01\AppData
C:\Users\Seven01\AppData\Local
C:\Users\Seven01\AppData\Local\Temp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ole32.dll
\Device\KsecDD
C:\Windows\assembly\NativeImages_v4.0.30319_32\nSfZHxLuiNM70BTB\*
C:\Users\Seven01\AppData\Local\Temp\qsr.INI
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol26.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8811a034e0362a8ec740c44c7136725b\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8811a034e0362a8ec740c44c7136725b\System.Core.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Users\Seven01\AppData\Local\Temp\avvskte0.tmp
C:\Users\Seven01\AppData\Local\Temp\avvskte0.0.cs
C:\Users\Seven01\AppData\Local\Temp\avvskte0.dll
C:\Users\Seven01\AppData\Local\Temp\avvskte0.cmdline
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Users\Seven01\AppData\Local\Temp\avvskte0.out
C:\Users\Seven01\AppData\Local\Temp\avvskte0.err
C:\Users\Seven01\AppData\Local\Temp\avvskte0.pdb
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\00ea0c71c0a045ebceae2b3d938d251f\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\00ea0c71c0a045ebceae2b3d938d251f\System.Drawing.ni.dll.aux
C:\Users\Seven01\AppData\Local\Temp\qsr.exe.Local\
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\shell32.dll
C:\Users\Seven01\AppData\Roaming\svchost
C:\Users\Seven01\AppData\Roaming
C:\Users\Seven01\AppData\Roaming\svchost\svchost.exe
C:\Users\Seven01\AppData\Roaming\svchost\svchost.exe:Zone.Identifier
C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\feeacef715fd335a37a58022b3a2fefb\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\feeacef715fd335a37a58022b3a2fefb\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.Linq.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\ntdll.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\1040\cscui.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\1040\cscui.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\0\cscui.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\0\cscui.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\1033\cscui.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\default.win32manifest
C:\Windows\Microsoft.NET\Framework\v4.0.30319\alink.dll
C:\Windows\System32\mscoree.dll.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Users\Seven01\AppData\Local\Temp\System.Management.dll
C:\Windows
C:\Windows\Microsoft.NET
C:\Windows\Microsoft.NET\Framework
C:\Windows\Microsoft.NET\Framework\v4.0.30319
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Management.dll
C:\Users\Seven01\AppData\Local\Temp\System.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.dll
C:\Users\Seven01\AppData\Local\Temp\System.Drawing.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Drawing.dll
C:\Users\Seven01\AppData\Local\Temp\System.Core.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Core.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll
C:\Users\Seven01\AppData\Local\Temp\CSC2C33E9895B9D43CFB46EFAE8C052D3A4.TMP
C:\Users\Seven01\AppData\Local\Temp\RES3DE.tmp
C:\Windows\System32\tzres.dll
C:\Windows\System32\it-IT\tzres.dll.mui

Read Files

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\Seven01\AppData\Local\Temp\qsr.exe.config
C:\Users\Seven01\AppData\Local\Temp\qsr.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll
\Device\KsecDD
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol26.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8811a034e0362a8ec740c44c7136725b\System.Core.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8811a034e0362a8ec740c44c7136725b\System.Core.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Users\Seven01\AppData\Local\Temp\avvskte0.dll
C:\Users\Seven01\AppData\Local\Temp\avvskte0.pdb
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\00ea0c71c0a045ebceae2b3d938d251f\System.Drawing.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\00ea0c71c0a045ebceae2b3d938d251f\System.Drawing.ni.dll
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\feeacef715fd335a37a58022b3a2fefb\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\feeacef715fd335a37a58022b3a2fefb\Microsoft.VisualBasic.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\1033\cscui.dll
C:\Users\Seven01\AppData\Local\Temp\avvskte0.cmdline
C:\Windows\Microsoft.NET\Framework\v4.0.30319\alink.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe.config
C:\Users\Seven01\AppData\Local\Temp\avvskte0.0.cs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Management.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Drawing.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Core.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\default.win32manifest
C:\Users\Seven01\AppData\Local\Temp\CSC2C33E9895B9D43CFB46EFAE8C052D3A4.TMP
C:\Users\Seven01\AppData\Local\Temp\RES3DE.tmp
C:\Windows\System32\tzres.dll
C:\Windows\System32\it-IT\tzres.dll.mui

Write Files

C:\Users\Seven01\AppData\Local\Temp\avvskte0.tmp
C:\Users\Seven01\AppData\Local\Temp\avvskte0.0.cs
C:\Users\Seven01\AppData\Local\Temp\avvskte0.dll
C:\Users\Seven01\AppData\Local\Temp\avvskte0.cmdline
C:\Users\Seven01\AppData\Local\Temp\avvskte0.out
C:\Users\Seven01\AppData\Local\Temp\avvskte0.err
C:\Users\Seven01\AppData\Roaming\svchost\svchost.exe
C:\Users\Seven01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url
C:\Users\Seven01\AppData\Local\Temp\avvskte0.pdb
C:\Users\Seven01\AppData\Local\Temp\CSC2C33E9895B9D43CFB46EFAE8C052D3A4.TMP
C:\Users\Seven01\AppData\Local\Temp\RES3DE.tmp

Delete Files

C:\Users\Seven01\AppData\Local\Temp\avvskte0.out
C:\Users\Seven01\AppData\Local\Temp\avvskte0.0.cs
C:\Users\Seven01\AppData\Local\Temp\avvskte0.tmp
C:\Users\Seven01\AppData\Local\Temp\avvskte0.err
C:\Users\Seven01\AppData\Local\Temp\avvskte0.cmdline
C:\Users\Seven01\AppData\Local\Temp\avvskte0.dll
C:\Users\Seven01\AppData\Local\Temp\avvskte0.pdb
C:\Users\Seven01\AppData\Roaming\svchost\svchost.exe:Zone.Identifier
C:\Users\Seven01\AppData\Local\Temp\RES3DE.tmp
C:\Users\Seven01\AppData\Local\Temp\CSC2C33E9895B9D43CFB46EFAE8C052D3A4.TMP

Keys

HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qsr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index26
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\qsr.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\37A054FA
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\FORCE_ASSEMREF_DUPCHECK
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NicPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\RegistryRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath2
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CMF\Config
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM

Read Keys

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index26
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\37A054FA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\FORCE_ASSEMREF_DUPCHECK
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NicPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\RegistryRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM

Write Keys

Nothing to display

Delete Keys

Nothing to display

Mutexes

Resolved APIs

advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
advapi32.dll.EventRegister
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
clr.dll.SetRuntimeInfo
clr.dll._CorExeMain
mscoree.dll.CreateConfigStream
mscoreei.dll.CreateConfigStream
kernel32.dll.GetNumaHighestNodeNumber
kernel32.dll.GetSystemWindowsDirectoryW
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddSIDToBoundaryDescriptor
kernel32.dll.CreateBoundaryDescriptorW
kernel32.dll.CreatePrivateNamespaceW
kernel32.dll.OpenPrivateNamespaceW
kernel32.dll.DeleteBoundaryDescriptor
kernel32.dll.WerRegisterRuntimeExceptionModule
kernel32.dll.RaiseException
mscoree.dll.#24
mscoreei.dll.#24
ntdll.dll.NtSetSystemInformation
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
kernel32.dll.GetNativeSystemInfo
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
ole32.dll.CoGetContextToken
clrjit.dll.sxsJitStartup
clrjit.dll.getJit
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
uxtheme.dll.ThemeInitApiHook
user32.dll.IsProcessDPIAware
kernel32.dll.CloseHandle
kernel32.dll.GetCurrentProcess
kernel32.dll.LocaleNameToLCID
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetUserPreferredUILanguages
nlssorting.dll.SortGetHandle
nlssorting.dll.SortCloseHandle
kernel32.dll.GetTempPathW
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
kernel32.dll.GetFullPathNameW
cryptsp.dll.CryptGetDefaultProviderW
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
kernel32.dll.SetThreadErrorMode
kernel32.dll.CreateFileW
kernel32.dll.GetFileType
kernel32.dll.WriteFile
kernel32.dll.GetFileAttributesExW
kernel32.dll.GetCurrentDirectoryW
kernel32.dll.GetStdHandle
kernel32.dll.GetEnvironmentStrings
kernel32.dll.GetEnvironmentStringsW
kernel32.dll.FreeEnvironmentStringsW
kernel32.dll.GetACP
kernel32.dll.UnmapViewOfFile
kernel32.dll.CreateProcessW
kernel32.dll.DuplicateHandle
ole32.dll.CoWaitForMultipleHandles
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
ole32.dll.NdrOleInitializeExtension
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
kernel32.dll.GetExitCodeProcess
kernel32.dll.GetFileSize
kernel32.dll.ReadFile
kernel32.dll.DeleteFileW
kernel32.dll.FindResourceA
kernel32.dll.SizeofResource
kernel32.dll.LoadResource
kernel32.dll.LockResource
gdiplus.dll.GdiplusStartup
kernel32.dll.IsProcessorFeaturePresent
user32.dll.GetWindowInfo
user32.dll.GetAncestor
user32.dll.GetMonitorInfoA
user32.dll.EnumDisplayMonitors
user32.dll.EnumDisplayDevicesA
gdi32.dll.ExtTextOutW
gdi32.dll.GdiIsMetaPrintDC
gdiplus.dll.GdipCreateBitmapFromStream
windowscodecs.dll.DllGetClassObject
kernel32.dll.WerRegisterMemoryBlock
gdiplus.dll.GdipImageForceValidation
gdiplus.dll.GdipGetImageRawFormat
gdiplus.dll.GdipGetImageWidth
gdiplus.dll.GdipGetImageHeight
gdiplus.dll.GdipBitmapGetPixel
ole32.dll.CoUninitialize
oleaut32.dll.#500
kernel32.dll.ReleaseMutex
kernel32.dll.CreateMutexW
shell32.dll.SHGetFolderPathW
kernel32.dll.CreateDirectoryW
kernel32.dll.CopyFileW
kernel32.dll.DeleteFileA
kernel32.dll.WideCharToMultiByte
kernel32.dll.LoadLibraryA
kernel32.dll.GetProcAddress
kernel32.dll.GetModuleHandleA
advapi32.dll.LookupPrivilegeValueW
advapi32.dll.AdjustTokenPrivileges
ntdll.dll.NtQuerySystemInformation
kernel32.dll.CreateProcessA
kernel32.dll.GetThreadContext
kernel32.dll.Wow64GetThreadContext
kernel32.dll.SetThreadContext
kernel32.dll.Wow64SetThreadContext
kernel32.dll.ReadProcessMemory
kernel32.dll.WriteProcessMemory
ntdll.dll.NtUnmapViewOfSection
kernel32.dll.VirtualAllocEx
kernel32.dll.ResumeThread
gdiplus.dll.GdipDisposeImage
cryptsp.dll.CryptReleaseContext
kernel32.dll.CreateActCtxW
kernel32.dll.AddRefActCtx
kernel32.dll.ReleaseActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.DeactivateActCtx
kernel32.dll.GetCurrentActCtx
kernel32.dll.QueryActCtxW
advapi32.dll.EventUnregister
kernel32.dll.GetProcessPreferredUILanguages
kernel32.dll.GetUserDefaultUILanguage
version.dll.GetFileVersionInfoSizeA
version.dll.GetFileVersionInfoA
version.dll.VerQueryValueA
alink.dll.CreateALink
mscoree.dll.CLRCreateInstance
mscoreei.dll.CLRCreateInstance
cryptsp.dll.CryptAcquireContextA
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptHashData
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
clr.dll.DllGetClassObjectInternal
clr.dll.StrongNameTokenFromPublicKey
clr.dll.StrongNameFreeBuffer
clr.dll.CompareAssemblyIdentityWithConfig
clr.dll.CreateAssemblyConfigCookie
clr.dll.DestroyAssemblyConfigCookie
clr.dll.CreateAssemblyNameObject
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptExportKey
cryptsp.dll.CryptDestroyKey
mscorpehost.dll.InitializeSxS
mscorpehost.dll.CreateICeeFileGen
mscorpehost.dll.DestroyICeeFileGen
ole32.dll.CoCreateGuid
diasymreader.dll.DllGetClassObject
rpcrt4.dll.UuidCreate
kernel32.dll.NlsGetCacheUpdateCount
ole32.dll.CreateStreamOnHGlobal
mscoree.dll.CorExitProcess
mscoreei.dll.CorExitProcess

Execute Commands

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Seven01\AppData\Local\Temp\avvskte0.cmdline"
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Seven01\AppData\Local\Temp\RES3DE.tmp" "c:\Users\Seven01\AppData\Local\Temp\CSC2C33E9895B9D43CFB46EFAE8C052D3A4.TMP"

Started Services

Nothing to display

Created Services

Nothing to display

#infosec #automation

TheSystem Itself @ 2018-08-08 19:09:06