Analysis

Category Package Started Completed Duration Log
FILE exe 2020-06-22 16:07:19 2020-06-22 16:09:42 143 seconds Show Log
2020-05-13 09:28:00,755 [root] INFO: Date set to: 20200622T14:59:04, timeout set to: 200
2020-06-22 14:59:04,078 [root] DEBUG: Starting analyzer from: C:\tmpt2nfl3rg
2020-06-22 14:59:04,078 [root] DEBUG: Storing results at: C:\deWgjJivc
2020-06-22 14:59:04,078 [root] DEBUG: Pipe server name: \\.\PIPE\eReLPNjJB
2020-06-22 14:59:04,078 [root] DEBUG: Python path: C:\Users\Louise\AppData\Local\Programs\Python\Python38-32
2020-06-22 14:59:04,078 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-06-22 14:59:04,093 [root] INFO: Automatically selected analysis package "exe"
2020-06-22 14:59:04,093 [root] DEBUG: Trying to import analysis package "exe"...
2020-06-22 14:59:04,328 [root] DEBUG: Imported analysis package "exe".
2020-06-22 14:59:04,328 [root] DEBUG: Trying to initialize analysis package "exe"...
2020-06-22 14:59:04,328 [root] DEBUG: Initialized analysis package "exe".
2020-06-22 14:59:04,609 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-06-22 14:59:04,625 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-06-22 14:59:04,625 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-06-22 14:59:04,796 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-06-22 14:59:04,796 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-06-22 14:59:04,859 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-06-22 14:59:04,859 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-06-22 14:59:04,937 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-06-22 14:59:04,937 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-06-22 14:59:04,984 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-06-22 14:59:04,984 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-06-22 14:59:05,078 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-06-22 14:59:05,078 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-06-22 14:59:05,234 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-06-22 14:59:05,234 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-06-22 14:59:05,234 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-06-22 14:59:05,234 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-06-22 14:59:05,234 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-06-22 14:59:05,234 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-06-22 14:59:05,468 [lib.api.screenshot] DEBUG: Importing 'math'
2020-06-22 14:59:05,468 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-06-22 14:59:07,953 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-06-22 14:59:08,062 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-06-22 14:59:08,203 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-06-22 14:59:08,203 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-06-22 14:59:08,203 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-06-22 14:59:08,203 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-06-22 14:59:08,203 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-06-22 14:59:08,218 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-06-22 14:59:08,218 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-06-22 14:59:08,218 [root] DEBUG: Initialized auxiliary module "Browser".
2020-06-22 14:59:08,218 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-06-22 14:59:08,218 [root] DEBUG: Started auxiliary module Browser
2020-06-22 14:59:08,218 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-06-22 14:59:08,218 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-06-22 14:59:08,218 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-06-22 14:59:08,218 [root] DEBUG: Started auxiliary module Curtain
2020-06-22 14:59:08,218 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-06-22 14:59:08,218 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-06-22 14:59:08,218 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-06-22 14:59:08,218 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-06-22 14:59:09,593 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-06-22 14:59:09,593 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-06-22 14:59:09,609 [root] DEBUG: Started auxiliary module DigiSig
2020-06-22 14:59:09,609 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-06-22 14:59:09,609 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-06-22 14:59:09,609 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-06-22 14:59:09,656 [root] DEBUG: Started auxiliary module Disguise
2020-06-22 14:59:09,656 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-06-22 14:59:09,656 [root] DEBUG: Initialized auxiliary module "Human".
2020-06-22 14:59:09,656 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-06-22 14:59:09,656 [root] DEBUG: Started auxiliary module Human
2020-06-22 14:59:09,656 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-06-22 14:59:09,656 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-06-22 14:59:09,656 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-06-22 14:59:09,656 [root] DEBUG: Started auxiliary module Procmon
2020-06-22 14:59:09,671 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-06-22 14:59:09,671 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-06-22 14:59:09,671 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-06-22 14:59:09,671 [root] DEBUG: Started auxiliary module Screenshots
2020-06-22 14:59:09,671 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-06-22 14:59:09,671 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-06-22 14:59:09,671 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-06-22 14:59:09,671 [root] DEBUG: Started auxiliary module Sysmon
2020-06-22 14:59:09,671 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-06-22 14:59:09,671 [root] DEBUG: Initialized auxiliary module "Usage".
2020-06-22 14:59:09,671 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-06-22 14:59:09,671 [root] DEBUG: Started auxiliary module Usage
2020-06-22 14:59:09,671 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-06-22 14:59:09,671 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-06-22 14:59:09,671 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-06-22 14:59:09,671 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-06-22 14:59:10,171 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Louise\AppData\Local\Temp\onedrive-07.exe" with arguments "" with pid 3924
2020-06-22 14:59:10,171 [lib.api.process] INFO: Monitor config for process 3924: C:\tmpt2nfl3rg\dll\3924.ini
2020-06-22 14:59:10,171 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpt2nfl3rg\dll\QiDXJtPF.dll, loader C:\tmpt2nfl3rg\bin\EIfLpTB.exe
2020-06-22 14:59:10,359 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\eReLPNjJB.
2020-06-22 14:59:10,359 [root] DEBUG: Loader: Injecting process 3924 (thread 2940) with C:\tmpt2nfl3rg\dll\QiDXJtPF.dll.
2020-06-22 14:59:10,359 [root] DEBUG: Process image base: 0x010C0000
2020-06-22 14:59:10,359 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-06-22 14:59:10,375 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-06-22 14:59:10,406 [root] DEBUG: Error 2 (0x2) - Loader: Failed to call named pipe \\.\PIPE\eReLPNjJB: The system cannot find the file specified.
2020-06-22 14:59:10,453 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3924
2020-06-22 14:59:12,453 [lib.api.process] INFO: Successfully resumed process with pid 3924
2020-06-22 14:59:12,593 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-22 14:59:12,609 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-22 14:59:12,609 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 3924 at 0x700e0000, image base 0x10c0000, stack from 0x385000-0x390000
2020-06-22 14:59:12,671 [root] INFO: Loaded monitor into process with pid 3924
2020-06-22 14:59:12,671 [root] DEBUG: set_caller_info: Adding region at 0x00290000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-06-22 14:59:12,671 [root] DEBUG: set_caller_info: Adding region at 0x02700000 to caller regions list (ntdll::RtlDispatchException).
2020-06-22 14:59:12,703 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x2700000
2020-06-22 14:59:12,703 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x02700000 size 0x400000.
2020-06-22 14:59:12,703 [root] DEBUG: DumpPEsInRange: Scanning range 0x2700000 - 0x2701000.
2020-06-22 14:59:12,718 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2700000-0x2701000.
2020-06-22 14:59:12,765 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\deWgjJivc\CAPE\3924_19066779861219523262020 (size 0xffe)
2020-06-22 14:59:12,765 [root] DEBUG: DumpRegion: Dumped stack region from 0x02700000, size 0x1000.
2020-06-22 14:59:12,765 [root] DEBUG: set_caller_info: Failed to dumping calling PE image at 0x00290000.
2020-06-22 14:59:12,781 [root] DEBUG: set_caller_info: Adding region at 0x00110000 to caller regions list (advapi32::RegOpenKeyExW).
2020-06-22 14:59:12,781 [root] DEBUG: set_caller_info: Calling region at 0x00110000 skipped.
2020-06-22 14:59:12,796 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd0 amd local view 0x73720000 to global list.
2020-06-22 14:59:12,796 [root] DEBUG: DLL loaded at 0x73720000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7d000 bytes).
2020-06-22 14:59:12,796 [root] DEBUG: DLL unloaded from 0x754B0000.
2020-06-22 14:59:12,812 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xec amd local view 0x00180000 to global list.
2020-06-22 14:59:12,828 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xe8 amd local view 0x00180000 to global list.
2020-06-22 14:59:12,828 [root] DEBUG: DLL loaded at 0x73D80000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-22 14:59:12,843 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x72DA0000 for section view with handle 0xec.
2020-06-22 14:59:12,843 [root] DEBUG: DLL loaded at 0x72DA0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x6ef000 bytes).
2020-06-22 14:59:12,843 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x73AA0000 for section view with handle 0xec.
2020-06-22 14:59:12,843 [root] DEBUG: DLL loaded at 0x73AA0000: C:\Windows\system32\MSVCR120_CLR0400 (0xf5000 bytes).
2020-06-22 14:59:13,015 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 3924, handle 0x10c.
2020-06-22 14:59:13,046 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x110 amd local view 0x000A0000 to global list.
2020-06-22 14:59:13,046 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x114 amd local view 0x000B0000 to global list.
2020-06-22 14:59:13,046 [root] INFO: Disabling sleep skipping.
2020-06-22 14:59:13,062 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3924.
2020-06-22 14:59:13,546 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3924.
2020-06-22 14:59:13,562 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1c8 amd local view 0x06420000 to global list.
2020-06-22 14:59:13,593 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3924.
2020-06-22 14:59:14,562 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x20c amd local view 0x6ED40000 to global list.
2020-06-22 14:59:14,609 [root] DEBUG: DLL loaded at 0x6ED40000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni (0x1393000 bytes).
2020-06-22 14:59:16,156 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x218 amd local view 0x6ECC0000 to global list.
2020-06-22 14:59:16,203 [root] DEBUG: DLL loaded at 0x6ECC0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x80000 bytes).
2020-06-22 14:59:16,265 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x214 amd local view 0x75560000 to global list.
2020-06-22 14:59:16,281 [root] DEBUG: DLL loaded at 0x75560000: C:\Windows\syswow64\OLEAUT32 (0x91000 bytes).
2020-06-22 14:59:16,953 [root] DEBUG: set_caller_info: Adding region at 0x00220000 to caller regions list (ntdll::NtQueryPerformanceCounter).
2020-06-22 14:59:17,062 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x22ffff
2020-06-22 14:59:17,062 [root] DEBUG: DumpMemory: Nothing to dump at 0x00220000!
2020-06-22 14:59:17,093 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\deWgjJivc\CAPE\3924_7168881323719523262020 (size 0x461)
2020-06-22 14:59:17,093 [root] DEBUG: DumpRegion: Dumped stack region from 0x00220000, size 0x1000.
2020-06-22 14:59:20,500 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x22c amd local view 0x6E2B0000 to global list.
2020-06-22 14:59:20,718 [root] DEBUG: DLL loaded at 0x6E2B0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni (0xa10000 bytes).
2020-06-22 14:59:24,109 [root] DEBUG: OpenProcessHandler: Image base for process 3924 (handle 0x224): 0x010C0000.
2020-06-22 14:59:24,406 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3924.
2020-06-22 14:59:24,562 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3924.
2020-06-22 14:59:24,656 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x268 amd local view 0x73580000 to global list.
2020-06-22 14:59:24,734 [root] DEBUG: DLL loaded at 0x73580000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni (0x194000 bytes).
2020-06-22 14:59:24,812 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x70CC0000 for section view with handle 0x268.
2020-06-22 14:59:24,828 [root] DEBUG: DLL loaded at 0x70CC0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni (0xd1d000 bytes).
2020-06-22 14:59:24,828 [root] DEBUG: DLL unloaded from 0x010C0000.
2020-06-22 14:59:24,968 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x26c amd local view 0x040E0000 to global list.
2020-06-22 14:59:25,187 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3924
2020-06-22 14:59:25,187 [root] DEBUG: GetHookCallerBase: thread 3500 (handle 0x0), return address 0x00220A0A, allocation base 0x00220000.
2020-06-22 14:59:25,187 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x010C0000.
2020-06-22 14:59:25,187 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x010C2000
2020-06-22 14:59:25,187 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-06-22 14:59:25,187 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x010C0000.
2020-06-22 14:59:25,234 [root] DEBUG: DumpPE: Error: Cannot dump PE file from memory.
2020-06-22 14:59:25,234 [root] DEBUG: DumpImageInCurrentProcess: Failed to dump 'raw' PE image from 0x010C0000, dumping memory region.
2020-06-22 14:59:25,249 [root] DEBUG: DLL unloaded from 0x75770000.
2020-06-22 14:59:25,249 [root] DEBUG: DLL unloaded from 0x72DA0000.
2020-06-22 14:59:25,249 [root] DEBUG: DLL unloaded from 0x73720000.
2020-06-22 14:59:25,265 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3924
2020-06-22 14:59:25,265 [root] DEBUG: GetHookCallerBase: thread 3500 (handle 0x0), return address 0x00220A0A, allocation base 0x00220000.
2020-06-22 14:59:25,265 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x010C0000.
2020-06-22 14:59:25,281 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x010C2000
2020-06-22 14:59:25,296 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-06-22 14:59:25,296 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x010C0000.
2020-06-22 14:59:25,328 [root] DEBUG: DumpPE: Error: Cannot dump PE file from memory.
2020-06-22 14:59:25,328 [root] DEBUG: DumpImageInCurrentProcess: Failed to dump 'raw' PE image from 0x010C0000, dumping memory region.
2020-06-22 14:59:25,343 [root] INFO: Process with pid 3924 has terminated
2020-06-22 14:59:30,515 [root] INFO: Process list is empty, terminating analysis.
2020-06-22 14:59:31,515 [root] INFO: Created shutdown mutex.
2020-06-22 14:59:32,609 [root] INFO: Shutting down package.
2020-06-22 14:59:32,609 [root] INFO: Stopping auxiliary modules.
2020-06-22 14:59:32,937 [lib.common.results] WARNING: File C:\deWgjJivc\bin\procmon.xml doesn't exist anymore
2020-06-22 14:59:32,953 [root] INFO: Finishing auxiliary modules.
2020-06-22 14:59:32,953 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-06-22 14:59:32,953 [root] WARNING: Folder at path "C:\deWgjJivc\debugger" does not exist, skip.
2020-06-22 14:59:32,953 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7x64_2 win7x64_6 KVM 2020-06-22 16:07:20 2020-06-22 16:09:42

File Details

File Name onedrive-07.exe
File Size 418816 bytes
File Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
PE timestamp 2020-05-22 08:11:43
MD5 389fcc1b4da07e48813db513029a207a
SHA1 b0ef937ecce0294c18b0c2db938976265e4a559c
SHA256 7de274ab7b27421e8878a6d4b5c1fd1fa072152c93adccd9bc16e9963befb6a9
SHA512 7d4acf14c60715222f5215f142103a855a6d75288d6ef36c404301ddf438138491e8ce00200f533901fa1717555021b640f58292551af2942692910b1cec9ba2
CRC32 5C3D9433
Ssdeep 12288:rZavO+9lDA+d/deIHp/R8GNhC6Jdfqj4a2:tGlD79/oeJq
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Creates RWX memory
Possible date expiration check, exits too soon after checking local time
process: onedrive-07.exe, PID 3924
Guard pages use detected - possible anti-debugging.
Dynamic (imported) function loading detected
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/InitializeCriticalSectionEx
DynamicLoader: KERNEL32.dll/CreateEventExW
DynamicLoader: KERNEL32.dll/CreateSemaphoreExW
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: KERNEL32.dll/CreateThreadpoolTimer
DynamicLoader: KERNEL32.dll/SetThreadpoolTimer
DynamicLoader: KERNEL32.dll/WaitForThreadpoolTimerCallbacks
DynamicLoader: KERNEL32.dll/CloseThreadpoolTimer
DynamicLoader: KERNEL32.dll/CreateThreadpoolWait
DynamicLoader: KERNEL32.dll/SetThreadpoolWait
DynamicLoader: KERNEL32.dll/CloseThreadpoolWait
DynamicLoader: KERNEL32.dll/FlushProcessWriteBuffers
DynamicLoader: KERNEL32.dll/FreeLibraryWhenCallbackReturns
DynamicLoader: KERNEL32.dll/GetCurrentProcessorNumber
DynamicLoader: KERNEL32.dll/GetLogicalProcessorInformation
DynamicLoader: KERNEL32.dll/CreateSymbolicLinkW
DynamicLoader: KERNEL32.dll/SetDefaultDllDirectories
DynamicLoader: KERNEL32.dll/EnumSystemLocalesEx
DynamicLoader: KERNEL32.dll/CompareStringEx
DynamicLoader: KERNEL32.dll/GetDateFormatEx
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/GetTimeFormatEx
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/IsValidLocaleName
DynamicLoader: KERNEL32.dll/LCMapStringEx
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: KERNEL32.dll/GetTickCount64
DynamicLoader: KERNEL32.dll/GetFileInformationByHandleExW
DynamicLoader: KERNEL32.dll/SetFileInformationByHandleW
DynamicLoader: ADVAPI32.dll/EventSetInformation
DynamicLoader: clr.dll/SetRuntimeInfo
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: clr.dll/_CorExeMain
DynamicLoader: KERNEL32.dll/AcquireSRWLockExclusive
DynamicLoader: KERNEL32.dll/ReleaseSRWLockExclusive
DynamicLoader: MSCOREE.DLL/CreateConfigStream
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: KERNEL32.dll/GetNumaHighestNodeNumber
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/AddSIDToBoundaryDescriptor
DynamicLoader: KERNEL32.dll/CreateBoundaryDescriptorW
DynamicLoader: KERNEL32.dll/CreatePrivateNamespaceW
DynamicLoader: KERNEL32.dll/OpenPrivateNamespaceW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/DeleteBoundaryDescriptor
DynamicLoader: KERNEL32.dll/WerRegisterRuntimeExceptionModule
DynamicLoader: KERNEL32.dll/RaiseException
DynamicLoader: MSCOREE.DLL/
DynamicLoader: mscoreei.dll/
DynamicLoader: KERNELBASE.dll/SetSystemFileCacheSize
DynamicLoader: ntdll.dll/NtSetSystemInformation
DynamicLoader: KERNELBASE.dll/PrivIsDllSynchronizationHeld
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/SortGetHandle
DynamicLoader: KERNEL32.dll/SortCloseHandle
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: clrjit.dll/sxsJitStartup
DynamicLoader: clrjit.dll/jitStartup
DynamicLoader: clrjit.dll/getJit
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: KERNEL32.dll/GetEnvironmentVariable
DynamicLoader: KERNEL32.dll/GetEnvironmentVariableW
DynamicLoader: KERNEL32.dll/GetCurrentProcessId
DynamicLoader: KERNEL32.dll/GetCurrentProcessIdW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: KERNEL32.dll/OpenProcess
DynamicLoader: KERNEL32.dll/OpenProcessW
DynamicLoader: KERNEL32.dll/GetExitCodeProcess
DynamicLoader: KERNEL32.dll/GetExitCodeProcessW
DynamicLoader: ntdll.dll/NtQueryInformationProcess
DynamicLoader: PSAPI.DLL/EnumProcesses
DynamicLoader: PSAPI.DLL/EnumProcessesW
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/LocaleNameToLCID
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/LCIDToLocaleName
DynamicLoader: KERNEL32.dll/GetUserPreferredUILanguages
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/IsDebuggerPresent
DynamicLoader: KERNEL32.dll/OutputDebugString
DynamicLoader: KERNEL32.dll/OutputDebugStringW
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: KERNEL32.dll/RaiseFailFastException
DynamicLoader: KERNEL32.dll/GetThreadErrorMode
DynamicLoader: KERNEL32.dll/SetThreadErrorMode
DynamicLoader: ADVAPI32.dll/EventUnregister
CAPE extracted potentially suspicious content
onedrive-07.exe: Unpacked Shellcode
onedrive-07.exe: Unpacked Shellcode
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
The binary likely contains encrypted or compressed data.
section: name: .text, entropy: 7.84, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00065800, virtual_size: 0x00065674
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Louise\AppData\Local\Temp\onedrive-07.exe
Network activity detected but not expressed in API logs
File has been identified by 52 Antiviruses on VirusTotal as malicious
DrWeb: BackDoor.SpyBotNET.17
MicroWorld-eScan: Gen:Variant.Razy.673954
CAT-QuickHeal: Trojan.Sonbokli
McAfee: Trojan-FSJJ!389FCC1B4DA0
Malwarebytes: Trojan.PCrypt.MSIL.Generic
VIPRE: Trojan.Win32.Generic!BT
Sangfor: Malware
K7AntiVirus: Trojan ( 0056739f1 )
BitDefender: Gen:Variant.Razy.673954
K7GW: Trojan ( 0056739f1 )
BitDefenderTheta: Gen:[email protected]
Cyren: W32/MSIL_Kryptik.ASY.gen!Eldorado
Symantec: Trojan.Gen.2
ESET-NOD32: a variant of MSIL/Kryptik.WAD
APEX: Malicious
Avast: Win32:PWSX-gen [Trj]
GData: Gen:Variant.Razy.673954
Kaspersky: HEUR:Backdoor.MSIL.Remcos.gen
Alibaba: TrojanSpy:MSIL/AgentTesla.47db0d60
NANO-Antivirus: Trojan.Win32.SpyBotNET.hknrdj
ViRobot: Trojan.Win32.S.Infostealer.418816
AegisLab: Trojan.MSIL.Remcos.m!c
Rising: Backdoor.Remcos!8.B89E (CLOUD)
Endgame: malicious (high confidence)
Sophos: Mal/Generic-S
F-Secure: Trojan.TR/AD.AgentTesla.moalm
Zillya: Trojan.Kryptik.Win32.2038691
Invincea: heuristic
McAfee-GW-Edition: BehavesLike.Win32.Generic.gc
Emsisoft: Gen:Variant.Razy.673954 (B)
SentinelOne: DFI - Malicious PE
F-Prot: W32/MSIL_Kryptik.ASY.gen!Eldorado
Jiangmin: Backdoor.MSIL.cync
MaxSecure: Trojan.Malware.300983.susgen
Avira: TR/AD.AgentTesla.moalm
MAX: malware (ai score=80)
Antiy-AVL: Trojan[Backdoor]/MSIL.Remcos
AhnLab-V3: Malware/Win32.RL_Generic.C4106668
ZoneAlarm: HEUR:Backdoor.MSIL.Remcos.gen
ALYac: Gen:Variant.Razy.673954
Ad-Aware: Gen:Variant.Razy.673954
Cylance: Unsafe
Panda: Trj/GdSda.A
TrendMicro-HouseCall: TROJ_GEN.R002C0DEP20
Tencent: Win32.Trojan.Inject.Auto
Yandex: Trojan.Kryptik!g4ZmPSPSfc4
Ikarus: Trojan.MSIL.Krypt
Fortinet: MSIL/Agent.9D7E!tr
AVG: Win32:PWSX-gen [Trj]
Paloalto: generic.ml
CrowdStrike: win/malicious_confidence_70% (W)
Qihoo-360: Generic/Backdoor.23a

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\Louise\AppData\Local\Temp\onedrive-07.exe.config
C:\Users\Louise\AppData\Local\Temp\onedrive-07.exe
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-2.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSVCR120_CLR0400.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\System32\api-ms-win-core-quirks-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.localgac
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll.aux
C:\Users
C:\Users\Louise
C:\Users\Louise\AppData
C:\Users\Louise\AppData\Local
C:\Users\Louise\AppData\Local\Temp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ole32.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\jBeEyZQZFLS\*
C:\Users\Louise\AppData\Local\Temp\onedrive-07.INI
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol214.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\Microsoft.Net\assembly\GAC_32\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll
C:\Users\Louise\AppData\Local\Temp\ntdll.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\psapi.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\VERSION.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\Louise\AppData\Local\Temp\onedrive-07.exe.config
C:\Users\Louise\AppData\Local\Temp\onedrive-07.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\6715dc4d04e35f16d482900c355325e9\mscorlib.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol214.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\43822396682b0ffc3cfb66137ddab95f\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\2c462a934e0586ac5e46c8b93e461384\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\aece3d371c0714e60f9509d2a3137395\System.Windows.Forms.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onedrive-07.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index214
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index214
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.SetDefaultDllDirectories
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
advapi32.dll.EventRegister
advapi32.dll.EventSetInformation
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
clr.dll.SetRuntimeInfo
user32.dll.GetProcessWindowStation
user32.dll.GetUserObjectInformationW
clr.dll._CorExeMain
mscoree.dll.CreateConfigStream
mscoreei.dll.CreateConfigStream
kernel32.dll.GetNumaHighestNodeNumber
kernel32.dll.GetSystemWindowsDirectoryW
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddSIDToBoundaryDescriptor
kernel32.dll.CreateBoundaryDescriptorW
kernel32.dll.CreatePrivateNamespaceW
kernel32.dll.OpenPrivateNamespaceW
kernel32.dll.DeleteBoundaryDescriptor
kernel32.dll.WerRegisterRuntimeExceptionModule
kernel32.dll.RaiseException
mscoree.dll.#24
mscoreei.dll.#24
ntdll.dll.NtSetSystemInformation
kernel32.dll.AddDllDirectory
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
kernel32.dll.GetNativeSystemInfo
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
ole32.dll.CoGetContextToken
clrjit.dll.sxsJitStartup
clrjit.dll.getJit
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
kernel32.dll.GetEnvironmentVariableW
kernel32.dll.GetCurrentProcessId
kernel32.dll.CloseHandle
advapi32.dll.LookupPrivilegeValueW
kernel32.dll.GetCurrentProcess
advapi32.dll.AdjustTokenPrivileges
kernel32.dll.OpenProcess
kernel32.dll.GetExitCodeProcess
ntdll.dll.NtQueryInformationProcess
psapi.dll.EnumProcesses
kernel32.dll.LocaleNameToLCID
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetUserPreferredUILanguages
kernel32.dll.IsDebuggerPresent
kernel32.dll.OutputDebugStringW
kernel32.dll.RaiseFailFastException
kernel32.dll.GetThreadErrorMode
kernel32.dll.SetThreadErrorMode
advapi32.dll.EventUnregister

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash
0x00400000 0x0046766e 0x00000000 0x00074e8d 4.0 2020-05-22 08:11:43 f34d5f2d4577ed6d9ceec516c1f5a744

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00000200 0x00002000 0x00065674 0x00065800 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 7.84
.rsrc 0x00065a00 0x00068000 0x00000748 0x00000800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.89
.reloc 0x00066200 0x0006a000 0x0000000c 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 0.10

Resources

Name Offset Size Language Sub-language Entropy File type
RT_VERSION 0x000680a0 0x000004b6 LANG_NEUTRAL SUBLANG_NEUTRAL 3.46 None
RT_MANIFEST 0x00068558 0x000001ea LANG_NEUTRAL SUBLANG_NEUTRAL 5.00 None

Imports


Assembly Information

Name jBeEyZQZFLS
Version 2020.0.8.1

Assembly References

Name Version
mscorlib 4.0.0.0
System 2.0.0.0
System.Windows.Forms 4.0.0.0
System 4.0.0.0
System.Data 4.0.0.0
System.Xml 4.0.0.0
System.Data.DataSetExtensions 4.0.0.0
System.Drawing 4.0.0.0
Microsoft.VisualBasic 10.0.0.0

Custom Attributes

Type Name Value
Assembly [mscorlib]System.Reflection.AssemblyTrademarkAttribute arche no
Assembly [mscorlib]System.Reflection.AssemblyCopyrightAttribute arche noVa 2020 (
Assembly [mscorlib]System.Runtime.InteropServices.GuidAttribute ac484348-a34e-4641-85f2-c1fbc9fb6b
Assembly [mscorlib]System.Reflection.AssemblyFileVersionAttribute 2020.0.8
Assembly [mscorlib]System.Reflection.AssemblyTitleAttribute MidtermFirstBui
Assembly [mscorlib]System.Reflection.AssemblyDescriptionAttribute arche noVa is a non-profit- and non-governmental organisation working primarily on the field of humanitarian aid, development cooperation and educatio
Assembly [mscorlib]System.Reflection.AssemblyProductAttribute MidtermFirstBui
Assembly [mscorlib]System.Reflection.AssemblyCompanyAttribute arche no
TypeDef [System]System.ComponentModel.Design.HelpKeywordAttribute vs.data.DataS
TypeDef [System]System.ComponentModel.DesignerCategoryAttribute co
TypeDef [System.Xml]System.Xml.Serialization.XmlRootAttribute IAHDAIYGDYDGID
TypeDef [System.Xml]System.Xml.Serialization.XmlSchemaProviderAttribute GetTypedDataSetSche
TypeDef [mscorlib]System.Reflection.DefaultMemberAttribute It
TypeDef [System.Xml]System.Xml.Serialization.XmlSchemaProviderAttribute GetTypedTableSche

Type References

Assembly Type Name
mscorlib System.Runtime.CompilerServices.SuppressIldasmAttribute
System System.Diagnostics.Process
mscorlib System.ValueType
mscorlib System.Random
mscorlib System.ApplicationException
mscorlib System.Object
mscorlib System.Type
System.Windows.Forms System.Windows.Forms.UserControl
System System.ComponentModel.IContainer
System.Windows.Forms System.Windows.Forms.Label
System.Windows.Forms System.Windows.Forms.Button
System.Windows.Forms System.Windows.Forms.GroupBox
mscorlib System.EventArgs
System.Data System.Data.DataSet
System.Data System.Data.SchemaSerializationMode
mscorlib System.Runtime.Serialization.SerializationInfo
mscorlib System.Runtime.Serialization.StreamingContext
System.Data System.Data.DataTableCollection
System.Data System.Data.DataRelationCollection
System.Xml System.Xml.XmlReader
System.Xml System.Xml.Schema.XmlSchema
System System.ComponentModel.CollectionChangeEventArgs
System.Xml System.Xml.Schema.XmlSchemaComplexType
System.Xml System.Xml.Schema.XmlSchemaSet
System.Data.DataSetExtensions System.Data.TypedTableBase`1
System.Data System.Data.DataColumn
System.Data System.Data.DataTable
System.Data System.Data.DataRow
System.Data System.Data.DataRowBuilder
System.Data System.Data.DataRowChangeEventArgs
mscorlib System.MulticastDelegate
mscorlib System.IAsyncResult
mscorlib System.AsyncCallback
System.Data System.Data.DataRowAction
System.Windows.Forms System.Windows.Forms.ListBox
System.Windows.Forms System.Windows.Forms.Form
System.Windows.Forms System.Windows.Forms.TextBox
System.Windows.Forms System.Windows.Forms.PictureBox
mscorlib System.Enum
mscorlib System.IComparable
mscorlib System.Guid
mscorlib System.Resources.ResourceManager
mscorlib System.Globalization.CultureInfo
System.Drawing System.Drawing.Bitmap
System System.Configuration.ApplicationSettingsBase
mscorlib System.Runtime.CompilerServices.CompilationRelaxationsAttribute
mscorlib System.Runtime.CompilerServices.RuntimeCompatibilityAttribute
mscorlib System.Diagnostics.DebuggableAttribute
mscorlib System.Diagnostics.DebuggableAttribute/DebuggingModes
mscorlib System.Reflection.AssemblyTitleAttribute
mscorlib System.Reflection.AssemblyDescriptionAttribute
mscorlib System.Reflection.AssemblyConfigurationAttribute
mscorlib System.Reflection.AssemblyCompanyAttribute
mscorlib System.Reflection.AssemblyProductAttribute
mscorlib System.Reflection.AssemblyCopyrightAttribute
mscorlib System.Reflection.AssemblyTrademarkAttribute
mscorlib System.Runtime.InteropServices.ComVisibleAttribute
mscorlib System.Runtime.InteropServices.GuidAttribute
mscorlib System.Reflection.AssemblyFileVersionAttribute
mscorlib System.Runtime.Versioning.TargetFrameworkAttribute
System System.ComponentModel.DesignerCategoryAttribute
System System.ComponentModel.ToolboxItemAttribute
System.Xml System.Xml.Serialization.XmlSchemaProviderAttribute
System.Xml System.Xml.Serialization.XmlRootAttribute
System System.ComponentModel.Design.HelpKeywordAttribute
mscorlib System.Diagnostics.DebuggerNonUserCodeAttribute
System System.CodeDom.Compiler.GeneratedCodeAttribute
System System.ComponentModel.BrowsableAttribute
System System.ComponentModel.DesignerSerializationVisibilityAttribute
System System.ComponentModel.DesignerSerializationVisibility
mscorlib System.Reflection.DefaultMemberAttribute
mscorlib System.Runtime.CompilerServices.CompilerGeneratedAttribute
mscorlib System.Diagnostics.DebuggerBrowsableAttribute
mscorlib System.Diagnostics.DebuggerBrowsableState
mscorlib System.STAThreadAttribute
System System.ComponentModel.EditorBrowsableAttribute
System System.ComponentModel.EditorBrowsableState
mscorlib System.String
mscorlib System.Environment
mscorlib System.Threading.ParameterizedThreadStart
mscorlib System.Threading.Thread
mscorlib System.Diagnostics.Debugger
mscorlib System.IntPtr
mscorlib System.Runtime.InteropServices.Marshal
System System.ComponentModel.Win32Exception
mscorlib System.ArgumentException
mscorlib System.Int32
mscorlib System.Reflection.Assembly
Microsoft.VisualBasic Microsoft.VisualBasic.CompilerServices.ProjectData
mscorlib System.Reflection.MethodInfo
mscorlib System.Reflection.MethodBase
mscorlib System.Text.Encoding
mscorlib System.Security.Cryptography.Rfc2898DeriveBytes
mscorlib System.Security.Cryptography.RijndaelManaged
mscorlib System.Byte
mscorlib System.Security.Cryptography.DeriveBytes
mscorlib System.Security.Cryptography.SymmetricAlgorithm
mscorlib System.Security.Cryptography.ICryptoTransform
mscorlib System.Array
System.Windows.Forms System.Windows.Forms.Control
System.Windows.Forms System.Windows.Forms.DockStyle
System.Windows.Forms System.Windows.Forms.Control/ControlCollection
mscorlib System.IDisposable
System.Windows.Forms System.Windows.Forms.ContainerControl
System.Drawing System.Drawing.Point
System.Drawing System.Drawing.Size
System.Windows.Forms System.Windows.Forms.ButtonBase
mscorlib System.EventHandler
System.Drawing System.Drawing.SizeF
System.Windows.Forms System.Windows.Forms.AutoScaleMode
System System.ComponentModel.CollectionChangeEventHandler
mscorlib System.RuntimeTypeHandle
mscorlib System.IO.StringReader
System.Xml System.Xml.XmlTextReader
mscorlib System.IO.TextReader
System.Data System.Data.MissingSchemaAction
System.Data System.Data.XmlReadMode
mscorlib System.IO.MemoryStream
System.Xml System.Xml.XmlTextWriter
mscorlib System.IO.Stream
System.Xml System.Xml.XmlWriter
System.Xml System.Xml.Schema.ValidationEventHandler
System System.ComponentModel.CollectionChangeAction
System.Xml System.Xml.Schema.XmlSchemaSequence
System.Xml System.Xml.Schema.XmlSchemaAny
mscorlib System.Collections.IEnumerator
System.Xml System.Xml.Schema.XmlSchemaGroupBase
System.Xml System.Xml.Schema.XmlSchemaObjectCollection
System.Xml System.Xml.Schema.XmlSchemaObject
System.Xml System.Xml.Schema.XmlSchemaParticle
mscorlib System.Collections.ICollection
mscorlib System.Collections.IEnumerable
System.Data System.Data.DataRowCollection
System.Data System.Data.InternalDataCollectionBase
mscorlib System.Delegate
mscorlib System.Threading.Interlocked
System.Data System.Data.DataColumnCollection
System.Data System.Data.MappingType
System.Xml System.Xml.Schema.XmlSchemaAttribute
mscorlib System.Decimal
System.Xml System.Xml.Schema.XmlSchemaContentProcessing
mscorlib System.InvalidCastException
System.Data System.Data.StrongTypingException
mscorlib System.Exception
mscorlib System.Convert
System.Windows.Forms System.Windows.Forms.ListBox/ObjectCollection
System.Windows.Forms System.Windows.Forms.ListControl
System System.ComponentModel.ISupportInitialize
System.Drawing System.Drawing.SystemColors
System.Drawing System.Drawing.Color
System.Drawing System.Drawing.Font
System.Drawing System.Drawing.FontStyle
System.Drawing System.Drawing.GraphicsUnit
System.Windows.Forms System.Windows.Forms.Application
System System.Configuration.SettingsBase

!This program cannot be run in DOS mode.
.text
`.rsrc
@.reloc
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD_K$
Hf"L{
)x?L/
qp5(]
Ed?cj
*goXh
L9P(kH
]U<Mm,Zq`
39)C
`.G_#
U#eYfr2
#+U4'
V9:zA
?g4g3
9S61v
cez5j
9#('0
<7sNo
yT{'s
}!zU+=
Qpq;yzYn
TqoH^
iNyOP
Yi7gG
R_qSI
ty#<!Sw
~h^92
b2Ry7
Ip804w
BHZC?
HH5&m
vTJ'0rkO[
ZZ\C0e
/gO3`
;\mF/^f
UPYMK
00d&T
#79OZ7
a6W?m
VS076
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Bitmap
IDATx^
#*T},
s"hC"
ED^1~
a2nM|N
Pe/VrOW
y)v?D
1n+^S
{^SkRC<gng
LfR?y
sl9u8
&H#:64
nl&g7
EnF`Gsj
|MNTI
[m${[M
V`]{*~]g
)u(ge&}
vx"X$x)P
ep0m)c5b
ts>Nk
+a/ry
j[?EK
RElR\
-b3L|
M-;`|
JMO36)
aT#36
ks^cY
UrJfsxg
kdnq.
lK'zl
_F0pyW
cIvOS
u.{VG1
*|;aK
(9+u}
sV6)Cb
):}/|
pY+:{
GM_""
zO]/4
3rDc*5
B?j?N
5f!^x
(}MP{3At
*Wj_v
r7-Wt
`UT<S:O
h>1i5
!HtCv
[E_phC$
LfEc3
1SI\s
zpprS4g
ke_KsE_
[J=Z^
0hIWF
Fsl!#nu`C
]<o)z
t#C'>
Yr/rt
~*ZYU
;T/za\
fWh!6
ge-5^
cem"=I
6.;?f
1='&`Yp
)1&Ro
1_jVjY,
[03s*6)
+IA]1
6F:nUq]d
+=73o
W{pN|e
$gqe\
!>rGR3
m6QOs
{3y\c>sB
i!3Ef
b/5~#K
S62)e8
$~}aM
hRs<_ou&
}dnFAf
hUv#
pm6,S
9h^4`
%Kxfu
}M=:,
+)t1g
8&sDg
/{|eJy+.
b_lY,*x
`[Ms:=M
10*b0
"Wl'>
|&JlUWk
wN'8?
KOJsx
.1=U.
|f374
22W|*
^%ZjNy!
-ojd6
1Rt2bx
]e^t<
rSjl9
; 1>^
VkOda7
n$g`g
'Q=_Sn
W6EpL
]6U9{
aN\DC
'rel)
!G9!>
I1i%<
QqK.E+
SXgq_
p za"
M'~~.
GG27h
c.V]+2
`(\Oj
Mr6;u
Ar:Wr
lAFq0
%}W6 mu
0^d{Y
IYGg"
9_` 0|/s
=`_1s
M5s'6
J(G~Y
+V>kN
{3lI(
ol$}L
ja6/E=W
:?h;&
(8$Px
cOPs{4
#]ipg
JO^tZ
Kou[8
>KBbw|
QRCBn
[S~>[
qe?:v
cPrRx
<eo"o
{[S*C
e=HX`
M;rD>
|OLbG
mR,/;
q"=U;
>&,|WO
j<S:(
RuJF;
Ga!u+
vk8$9)
BT6lBR4Sg
LJQc&$U
}TLy/
iSu\1
4uopz
_sx4=
eb^{8
q\knEfU
.wQGa
ND^0UdmQ
V]t#W
nF8/jI
I|es\
ZK6{e
5Sk-g
8ofJ?
/:J]_
1tE_|
:o&/EG
%5LRr
AnXto
1f62g-}
$~?WZ
.`cB c
Sk](q
xYv'7
tr?Mg
5paF"w
a*q3li
Vm3&u
x<2>b!
`Z#g.VMfO
D?FjQ
be|S6
2a~w6
C}Nr2
DzU+O
|g_L,G
Nr^.{k
aJU<HY
>s!ny.
EKn]m
lH#&u8
):rN3j
%l_i9
spTmZi
&zPsN-
g[Fb9
{u[jIl
),:5l
RfW(AC
[1nA*
E-Mqka
m;m`
UjVcT
9sY3l;^
oM/0a
puS V
'Pxi0
93d,9(
@7J\bM
)qN0_z
*,bC}
?Y$sA
_m>swWC
MD>NT
OA%X[It
dqsW"
aU{Fj'
[T&~G
Q|I3P
0Ny.Wy
-#)i1
eY_JM
r8{Nf
[;4~Fl_X
bG_\f
Q?;p<
3>H^^
1eNaG
$?#Wr
H-w42
Rk3dL
/XNv/[
cFm!"
(%1v2
'?n0"/
!;+Wd
l$=WV#
jobe^s
qlr1"
*O8M$b
*J5mC
I`Jjo
F~r[o
C,4*78{
"oDn)
r\("z
e4ygE
n6;7by
&FTfY
(5G;'
a,Zy6
J\KlE\
Z2Hr6
kiMJN+b!
)=8Kc
$i7sP
Q[)]e
!W61m
^N"3-
L:?|'
*3B^jk~x
u!SZ}
{2dxyv
'>b+k
I=*y,
k>1Dz
Zq_~6
Sz ~~
zi =V
a[RE_
8vUCX
2c!{_
[:{(Cd
?yvkc
~w%fW5
EK^_j
>Kn^:
;j/=su$
$iya_
Y|y$o!
$9G.D
kMbs
$b)1~
X~:.e
Nev>-G
Io*1.
'=X*_
"In"o.
Vr:,{
^Kjnb
4I#bf
Qt"Vk
,.'Ld
3q,C&
v/{>$Hn1
CT0Ma
tiU^p
yiY!z
,9Tl
Gjd'u
?8_j.
#rA4,
'Qi$=
>]&)G
+\_{[
6wv9GK
3a6wp
WN=xI
L!eIU
?SbF}
),_3s
vZ=eWGS6
"OEn+
&nr'uV
h45BYrl
;[[bX
,okbd
70#`!
mIJa-
1~w7.
$I[Fa
q";LZ=
940yM
-xH''y
^b(<f
7o<x+
3oD{^
;,{QT
m.KnC5
KXam.k_
YvROYc
bUZvT
M"cx,
s2>2g
^Z(m\
z/?4"
ry>0{
k)oiZ
G(<a3f
8f6dc
/op~c4Y_
,9{S.#
|WmvSx&
3uH$W
WFp'h
FJnz3lgI\
AhyV.L
+,d7,
g;&%(
&&R*z
3mS#z7
,k!s<
WR(sG+
s5yN:
Dv*q]N
^.vEm
=2I~n
-]q[+k;
8/{7~#
qeM-z.)
dZ-J'!
y,WKe`
>>md
vB^MCS
:e|&D
Z[zpK
/U)}&
XYem3
^T/f l
JM-#h<
4j9g&:3y
Jd]BYr
NVc o
$6o*v
f,o=Wa
8W\m+
*?8#n3C
C0?!~
Ub.<c
Y*s8,
>C]fQ
=)3{9
\Pj >
ik"~k
rip72
}:J.b
pL %v
^H{Oe
ClE^rV
_dUYG
G$udgj
}IO_5
jWODa
m7Gb,
R[l*
+q)~{[
!qw,q
YHVh8V>:
h0{eL
czld=
E>ku,
;9k/S&
Q M+n
-iO93}B
Qj;,i
W~;'.0,q
N<VeH
Dt]K:o
O!bdU|
3m} 6
%:"eM
qu))m
%rpO5b
Z^-ce
9z&-'6
tZy97~
B2CsI=
r|zZmM
Qq\]]
O]{Ps
Z mv2
Y-:e~\
q*c$q
e<]|6
IM$V{Y
'4ZnH_
uOJm^
Q^l}x
:5FPF
2ADZ[
I?kL}
&j-~>
3`VOj
v3#T?
wX=:,
"q(ux
Uk5rU/u
(QZoZL
~O>*z
|v,|I
Gl|(9F
S1C8*o
}Ltciu7
{r.l$
I-E/k
NbsSD_d
J,p>B
~W|k?
o\O5e
$dJl_Y
Pb*$Q|;
c?P#.
~>7n[q
8F}dw
J5Ncd
7$UXD
2u-gZr1c
GZd o}|H
9{UCd
)yIk^
'v5W`=A
".mxK3
`:q2g
0u[NWu
qep?<
Orso1
v=pi^
y1^b_
:OUcQ
gO#FYODa
vm:@B#g
Tlk{3N
9k5d_o
"=D.>
;p91}FQ
]YW&^
&?in\
2,fb~
Ya8+5
A$+9%
o^po4
):m;4>/
+y>o&
)\VWvI
(e~3F(~=
o'}GF
+g`f<~
i(om6
7c$>b
J<M~GG
@[yP}K
X,9$9D
(uL')7
=\jpQ
^_>s!
5F6s8Z
%:3fZ:
5UZe,x
)&v3O
X*9L"L
2-f(v
`Y+\]
U[Ce-
-t7Nd
h7b9u
'vSqu
N$|6M
-1(,a
\GFAY
a9r<>
v_D7R
Xs!Yt
!*39-
x7ZrA
\I>.k
+Y~/b
0}l>=7
{(S"rY3
)gCI$
4ty-U
NWt{N
(1I>u
35n;~
6Y"6/
4w(}&]eU
kGyzc
3/4\e
C,~gQ
4?jn~N
1/7Rk
Z*,c-
SNez~.
Z+lZ?
zQ>i1
v[j"kz
5)G~1
=*vYlw
<<O9u
:{J<G
7"MDF
zP=|
X*vVb|
)}Xbq
~l|"yA
{1-.G
"]T.q8!
T_ue=
+ljc56
Xleo-.
({;Md
j`qp&
|{1v{s
wm7L^
KPK#.
"9,X$EEPPP
SEn;vg
:f(x#z
Wl^w7OU
hX{}#
Cg^QvU9
XE?`U
uUNsb
OA?vu
h!2Gr>
Z!v0v
c8,MV
A*O8g
0/j>?dM
o{/;&i
|Ixe7
i!b)b.
n,{Zua
!2SDa
dY_}Y
Y&6ZY
I=j/Uy
}-zt\ c
|c`nev
Vge~8K
fF;|E
c#ulU7
}'DW9?%|d
1j]vw<
w$O|@
[KRbS
/gT?I
g'b3!
v;yff
]Yxrk
+LY~H
L_ik6
qbwWe
E?eOeL
'=zm:ng
h_pZ#{
'offmc6
qcs8g
7GKng}
X6nQ9
[\% w:
K^G?F
cZ'i;R
+Lf%w
z&dzla
{W&w.
<ze)6
3='(lc'
o*C8Q
yj$gT9
1}M<G
g^|Zo`
r"6_K
$+zla
ar}M|
~P=c~
+}J&N
ie*9B
FrY{De
IgpVlw
oWxpt
vUi77X
#W6MV
)?T.o
Ume==
o,aE:
$OS,zg
rhm #gW
eFV/G
ikz[2
gG0/j=
(L^{?K
(Kr\+
,:N~eh
)L1YMp
0,|ER+
UblO#
G]c90
hNmQY
Q^[eb}D
UK$5e
~'nfC^%
*/8E;
$FbEk
+d_OXa"kJ
a#c<_
Hr]MP
hvw]*vf
Nf.x)cbk
XjnIq
*G7Ad
lKrTX
3x!cs
*Y_/P
9y_TF
&PSg&:
KI[0^
=5L|=%bXy
=!mop}]-
U+.z,
)qci7
y?`6'
(k/J.$s
IO 3\
;97I2?
Wr;tbzj
\RytY
Sl#|/|a}
v}oN/n
k{]ev
uF#~5
'?8(5q:
DK{V#5z
e{EdOP*
+"Lij
SE7Ob
W;sB%
gGdsB
Rj2}{
58"rY
}/5Oe
#_C7O
Fil5oO
Ar`:v&
<J&I7H
kRHxZ
R_e%+
:/6~z2u
l$FMvc|
z-n[N
9_}2K?
8u8gG
Nn4Vj(v>
(/cKTI
UaIgI<
7MMBm?q
u6W.7
"1t2MPm
U%CaE/
-~:^QrUt
nrs9S
KeUFp
\<">Jnfx_*
ggq{n
&=h+1"C/
sZb?w[)v
l~|%\t
T~hjp
C"Vq}
QVkL*
eLZfI
T7<lG
//U7O$
p+r**
j=dqz$
VBkxL
lUFH}.
jiQ*;
\$=>.
'"=E>
C]&t(
+(#kC
UbwMj
(}YE+
#zrvD"
i]Z0>
VuOKl
<w-nG-E
sqx/i
Wb(zr^O<
VstAcq
=_u\5
ReN0v
ueoQ'l<
Hlj(>
m06^J
$bA+f,
o8CPC+>J=
u7h;r
Q\%:y
P*w:Gt
ID?9L
Tvltwk
{@zdUo
`Ejp.A
v^9;{
:oz-b
+6?Rx
/YUb
Jbemd
{-}.H$G
1\YK~E
}yX/[
rU}ZV
1xi\q]
!gRf1
v2gD7
Xb*=b
.2{fS
5Da?+
;DJAv
'Yo?p
O ]Wy
X"J=fF
-bX%=
Fc3i?'
6De:On!vr
v<uBLU6
O*Doc^
)j3N6
~=W|O
.n-ALS/zw
eC/<F
<>PDL
ule?SO
Nvj<7
.s[4m
HMWsT
w,IEs9
9'>XH
uuD/P
RoJT!v^
:jnq 2
|NEKnv
,)qy#
+2gjM
cQk*)
9E=ok
'?ONa
Ym8Os
Nz<zdSP)
mk"q$
20;]]+uW
A*Ox{|
Y/h:\z|
WwH~r
Fq^|mw
}[Ye{f
8U{+E
V[>eN'r
}(L.-c
SGb%?
_ChYT
--Ww`DD
Pe ;8
{:xA1_Y
Mt|i.6J?
j2ppCN}
+n:}r2
)Yz6/w
2o||.
1HtMc
&7Y;B/
Je)[MX
)-b&rR
\d:n?
M6'Z|85
I?9zg
keOwJ\
"z5F"A
}pv"w
IDATz
a*&Md
$~,s~
@+-!{
#=j(FUE
K9n^j
D1+fE
@lp&1n
_|(5'
<$!Hz
;;D7P+
_2bd [
6B^ptw
el!O5#
sL|_ k:
Rel.Y
ug13w
[R;Y'y
gXpB^T
&Me]+
UIR'U
k`Mu,
b]T.m
Sb+gK
%K*lc
;T^p\
+~*'v
7H| z9
!*S8Jr
#q-uCF
6uC;>V
u!X}lI
m7k f?
MF3?4
GMm=Ve
q:=7#
LE}#f&
O*w8Rr
<sw 3
I\-o{
"y"evo
&_g\+
&:/Vyiy
Q|_jHR
D*`>SjK
S"z,/m
uDb7~(6
_$uue
Zb4#D
fh'.(}
:pBcDl
qNrvd
emc?R
"|^.>
[b+b!
Gw-}D
q[_Bj
|zVbd
{$swF
1yiEV
#zM)W
bw;X(
1~j]hr
m3yhV\x
NNcNL/v
=FbeY
<e?3h7=
to wnL$
_OIwW
]?Jfx
1;0sL"
}GzyJ$
Dpt>aN
*7X_WD
=+RGd
MTl:1
""1eN
I_uilSs>
%Er|J
}vxSa
uyn1Kx
74e1>9I
`R<em
3_C<I=e
kl<ys
z\lgJ
X>}2E
`O?2Ot
a#*SE
G|L}L
AOV^X
YZMhB
'{0[{
u.flt
%^Mm_
gzpZl
zf73a[p<
YZZ<S
blO\u1
.rIzf
_e?=D
*j$V0
;q1$Vl
_,aE~
9/*,,AD
x9K<j
\&_T?'(}
~ONq6
IKvPn
mGcu}
+vu&/
#hj'|.
^XQgB4%K
/|!WK
|>]hB
5(c;Mb
2_e>k
Z"1-pS
lX(y.
D~pVS1
Xf,Px
H xa,
Fb4t4F
r|scB^N`
e_,Sn3
j= V]
4_m%sm
&4#W$F
EDc=!
MmFp)3
=Ub6&
pkOF|;
8{U?up)
%q|%//
u!oW;n[
#=jO&'l0
<0&!q&1i
tSb$r_
fd4%f
$j59V
%1G|u
WY/y~1
y1/8x
k?s>|V
8'{uK
9Hex3
SoWk"
TdWgc
UyL"Ry
kc%F
_e#96|1{'
^lj-~l4
Ce_vr
8Jk4E
1*w72
NVj'6f
]Xu|Z
^B?*H
L+SljG
]_Vlh
A^'en:
/~Nfi)T
x&zLc
vo?^V
-&9l'|
R?+zhC
L:\~GV
kU9m/
?86h$/
O""ix
K<zf+
gWr4m
Z][|l}U&
N"~nF
.y4^x
)?04?
\|+|ZWV
`yef$;24
3&w~b
*/84I
9Ttt*K8z{(
WrNdR
M$abg
"2zQT
)VNeX
_*782k+
NZr/Z
S}I<g
V$1+^e
Co;2O
7l)9O~
Bbp!g
YOHLx
\K~Eb
Suyup<
0S=ZW
iKVA3f
M&Xlf
Z+svr
wz3_r
=em)X
*z8R~v
-<+u-
::Lqg
hEV2dy
}eMWc
'c>Z=
u`a/~
2*Cx:
yo#uz
$7>.vF
#F|71>'
%:1M^`
.9a8|
zVELz
~}BHj
)IWXDu
K,k]o
|'RoX
6w3v3f
E_h0R
Y?f(*
e_=<-~
l'ql8+
*p9vS
wXOPM=
_+suxQ
n=Lx):
V4j_J
_dIl#
?Y=o(
5+l[E
a/s~T9
^%Wi=
&}kR<
)6gEj
V'X0Z>
{FEzm1
'2/>Z
\Lmx3
mi>n
qd%EO>sq
gR{E[~
^4kH/
H/WrI
?7.b^
_,,HmK)
XL5"\|
;2P~Y
fmy6`
<[cQK
pV1KxI
)c>]G
K8)z1
O#V'k
<f\Y.
#uN1aZl
WLU<\
z:y;Mv
qr7M/
C$7?=
ks|g"
MdvK}
yg9.:
o.iK$
^zO_N
R[b2o
?qu_/2
'1#E_
o}g+SN
Lav&o/X
q%Djj
~_="
v#*^`<
xt#$^H*
qO8Q2
9?F>=
(N=I%
V\|gUt
bZO&8U%
-60|E
~MF/\
}E'Ie
wKcZ7
tVc-
ILlO)
&xcyh3
expn$
%Nna0
F'+,k
>S$Dto&
j.p4(
-oob7d
8fUZs7
^q61q
w^pVY
,.s=b
;y,9(5
f(GEw`
3]ws[
h]k<*~c
f2F_'
G*s7!<
)uRDr
+o>jN
v6uRy
. kv"?}
cLzcq
=z?={
Zf;Ua
[)SVtu
3og]ve
k?Q=;
UY4}.
5szq}ms
X8P0r
Qtd,Q
PczxFR
xi{f{
^ 5G5
'U/zc;x
I\Cjh
]Do+6
/Y?&a
)MO0z
W)<W{
y*yUP
%:KX$
"y"}Ej
|[2Dl(uh
U4[PD%
wk%kVr
*KW3|
S/]Ntr
"cD"D
u2+jy]'
#2~z[
l4]G^
WOVxFL
5.abo
~;a"1i_
IlG_s?
r7k[Tg
Nn2.s9
_Rmje,
DD'ru2
~^ Za
u:,y;
z4]6Qe
~l2)N-x
}GfdG
14l#vEg
T&(L[
;YjYs
sb(=
_9K=$V7Y;
k*Oxm
%),[`N
9p)}E
$kFI|
V:G0,
nqdXu
I{&W|
eem)o5k
h[]E/
qJHcNE?
t*Yjt
eNb]s
8Vr<w
o"g_j
hR([7
ID,oW,
Fl0;Eh
3Rr}B+Y{
?3,I{
M=V^,G
aOcjtl
-u:bI
K.)c~
1%q{!
u)?\bo9
tzqy]u
&X|j:
:?kwY
v?'oY
f*386
a%6cE_e
k5eVm
.oV'b
^g9vU
?#^u,
w^W,jVd
f/by
ONPX[|
zs[rv
U`\d}
'Ys^p
$7^eu#
"WDnJ]
=0-Vbi
s]Ufp
7g(:Y
WXwH%R
;g^{yJ
)9u6y
05Fa1[05
0Fg+`
k~-LGkT_
J\Jn*
9y`7w
|v)-}
^6$-N
v5x};
Sszj%
{#j\4e
*WiRe
#qx0[
Eb~]d
_itHmG
!KSV3}
1jqs^
}j({qJj
fSwvo?
NsqKU
RqQ,U
;2Gl(~w
K#F3t
2BGbQy
jXmv$gB
uDV}J
G[8)v
|!kwa
@esv1
f{)GXa
vHEc0
1|M>C
gt"?r
seqO"W?"
riU:O
~mUQx
We,y_
!>R'O
]Pkh$
OI,zG
Vm(\_
H^5'a
L\EOg+.
O83t2
;.:!,
c+2cu=b
F9kTv
cNz2e
(6C]w
2Jd'N
Uhyi5
r=m3^
TUl,,e
WTftbu
Y<d+a
zeaD>]
x}%V%./
,Yk-5<Jm
LO6S}<K<I
e.I.h
\wj_u
Zct_wg
FL0gp
2"6YR
.l?$u
}?^x5
%;j'P
+bqWiorV
q\j<R
7~aq=
^S2e(
e`X{n
E4Q>{
Vsb8Z
OpMjyl
GCiz`4&{
vH%ba;
K0\:,>\
R]d?/
;gVfg
R2h-UOT
s|Ut"
BW#[j)
X16]~
zvut+ORa_
Iy&oz
+b[Ya
Kt%UWEr
aW{u/b<
2gn-N
u[#*V2
fQ6u3
2_\Da
*ui+:J
G_X1'n+
sUNq9
)}e=j
b{5^J
>Q'j8F
`Fj`1
}}RSl
9-?4`
XP,9w
b!+8~
GVA::
eNX/#
EvPT~
VW(a[
y7q0v
w-+z4
_d6mU
^L8iK
ckFsiU^p
'l(YO
).]|U
dwCe}
0nkLp
nj~J]
MWa)g
`uMwMK
I%^4{A
bQL+n_
wC:Z<fA
8R%S|
2Jr]4>
7fx)ut
w7?r%/
>`CHC
2~Jj%:
~!?9>
}<y_4
vI#:N|
a<e:,
uWwvn9
'waLW
8V vH
&qv{RZt.
'>=DF
o=,8m?
gHi#|?/!
^/uj)
^r9"u
b7'0d
H:/yHp
Wm-BS
>\~1]
zILWo
mYtx3
jmg?zG
.-(i;
v*O8`Mo
gj.AkS
8ni'p
zf?|c
&Q/k7
Lf^~
xg:m=
mpO_I
-f|)3
uk-RRa
(2$Gr;rQ
8OvoU
)m_V<O#P
ug,W=#
4}"cC
X#von
x[DgbFM5?
8.2CD
`lc#z
*Mv~6
4J0'r
K[jW%
G8cz^O[
Ci<Ma
Bi$s-$
-^`Z.ClSh;4
3C0MP
*mlY!
rrS#b
8jEP'G6
_,58\T
o8*9[
#,CW
-(G^v9.
2i70 q
)1U?R
Uh+1U
,b6_
LxZ&)
F-aST,V
1w^S>
JAtuo
bslw>E
cD[5/
U|3)G
N)6aEy
{J=56
H[2Sw
:z.=k
Pl[OF
9` fw,
py3i3
EGU/W|8
Q,v.W
0&42cyL#
0E|%QW
l2v/&=
a({<fK
e,;09u
,:;Ee>
jMr'K
$`h?B
1{l[a
J<MV[
g4E3q1
&Qcwe
r\;.o
TLvO"
E1lj_!
h,1bAATb4
I?tP<
5{I`=
s5K8$
]YVxG
cno3p6
+mMya]
"[tN0
`mTH*
j?uQ6
:JQh
|O4~3U
wI -C
sxp*G
??=LQ
.cd-N
;+cIj
o/yOc[
{~;~go
Be${$
cU9Mxmh
OapNl<
*_xRUWul
@TbH+}
3j,O%
W\yv[K
ayFt{0
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
v4.0.30319
#Strings
#GUID
#Blob
jBeEyZQZFLS.exe
mscorlib
SuppressIldasmAttribute
System.Runtime.CompilerServices
.ctor
<Module>
.cctor
System
Process
System.Diagnostics
CloseHandle
kernel32.dll
IsDebuggerPresent
OutputDebugString
ValueType
NtQueryInformationProcess
ntdll.dll
BronzeGreaves
MidtermFirstBuild
_defenseValue
_isNatural
_name
_weight
_slot
Random
randAttack
get_DefenseValue
get_IsNatural
get_Name
get_Weight
get_Slot
ToString
DefenseValue
IsNatural
Weight
BronzeHelmet
BagFullException
ApplicationException
Class1
Object
VWRVWVRKPMIRVMPRIVOR
CoreCCCCCC
hupigdhiypoagdpiydgpidygdi
afaqwefqwefqw
Files
fwef2e
Dec_t
rajawi
CombatScreen
System.Windows.Forms
UserControl
_gameManager
components
IContainer
System.ComponentModel
playerName
Label
playerAttack
PlayerHealth
enemyName
enemyAttack
enemyHealth
attackButton
Button
depthCounter
goToInvetoryButton
combatGroupBox
GroupBox
enemyDefense
playerDefense
label1
potion2Button
potion1Button
label2
gameManager
attackButton_Click
EventArgs
sender
goToInvetoryButton_Click
potion1Button_Click
potion2Button_Click
Dispose
disposing
InitializeComponent
GameWonScreen
IAHDAIYGDYDGIDDD
System.Data
DataSet
tablehuioiyyfouewfw
_schemaSerializationMode
SchemaSerializationMode
SerializationInfo
System.Runtime.Serialization
StreamingContext
context
get_huioiyyfouewfw
get_SchemaSerializationMode
set_SchemaSerializationMode
value
get_Tables
DataTableCollection
get_Relations
DataRelationCollection
InitializeDerivedDataSet
Clone
ShouldSerializeTables
ShouldSerializeRelations
ReadXmlSerializable
System.Xml
XmlReader
reader
GetSchemaSerializable
XmlSchema
System.Xml.Schema
InitVars
initTable
InitClass
ShouldSerializehuioiyyfouewfw
SchemaChanged
CollectionChangeEventArgs
GetTypedDataSetSchema
XmlSchemaComplexType
XmlSchemaSet
huioiyyfouewfw
Tables
Relations
huioiyyfouewfwDataTable
System.Data.DataSetExtensions
TypedTableBase`1
columniashdiufhqwyeuf
DataColumn
columnDataColumn1
columnDataColumn2
columnDataColumn3
columnfhidfjwieuhfweiufq
huioiyyfouewfwRowChanging
huioiyyfouewfwRowChanged
huioiyyfouewfwRowDeleting
huioiyyfouewfwRowDeleted
DataTable
table
get_iashdiufhqwyeufColumn
get_DataColumn1Column
get_DataColumn2Column
get_DataColumn3Column
get_fhidfjwieuhfweiufqColumn
get_Count
get_Item
index
add_huioiyyfouewfwRowChanging
remove_huioiyyfouewfwRowChanging
add_huioiyyfouewfwRowChanged
remove_huioiyyfouewfwRowChanged
add_huioiyyfouewfwRowDeleting
remove_huioiyyfouewfwRowDeleting
add_huioiyyfouewfwRowDeleted
remove_huioiyyfouewfwRowDeleted
AddhuioiyyfouewfwRow
iashdiufhqwyeuf
DataColumn1
DataColumn2
DataColumn3
fhidfjwieuhfweiufq
CreateInstance
NewhuioiyyfouewfwRow
NewRowFromBuilder
DataRow
DataRowBuilder
builder
GetRowType
OnRowChanged
DataRowChangeEventArgs
OnRowChanging
OnRowDeleted
OnRowDeleting
RemovehuioiyyfouewfwRow
GetTypedTableSchema
iashdiufhqwyeufColumn
DataColumn1Column
DataColumn2Column
DataColumn3Column
fhidfjwieuhfweiufqColumn
Count
huioiyyfouewfwRowChangeEventHandler
MulticastDelegate
object
method
Invoke
BeginInvoke
IAsyncResult
AsyncCallback
callback
EndInvoke
result
huioiyyfouewfwRow
get_iashdiufhqwyeuf
set_iashdiufhqwyeuf
get_DataColumn1
set_DataColumn1
get_DataColumn2
set_DataColumn2
get_DataColumn3
set_DataColumn3
get_fhidfjwieuhfweiufq
set_fhidfjwieuhfweiufq
IsiashdiufhqwyeufNull
SetiashdiufhqwyeufNull
IsDataColumn1Null
SetDataColumn1Null
IsDataColumn2Null
SetDataColumn2Null
IsDataColumn3Null
SetDataColumn3Null
IsfhidfjwieuhfweiufqNull
SetfhidfjwieuhfweiufqNull
huioiyyfouewfwRowChangeEvent
eventRow
eventAction
DataRowAction
action
get_Row
get_Action
Action
DamageSpell
_attackValue
_currentCharges
_maxCharges
_chargersPerUse
get_CurrentCharges
set_CurrentCharges
get_MaxCharges
get_ChargesPerUse
get_AttackValue
CastSpell
CurrentCharges
MaxCharges
ChargesPerUse
AttackValue
endScreen
deathScreenLabel
playAgainButton
endScreenGroupBox
playAgainButton_Click
EquippedItems
_slots
GetItem
Equip
Unequip
CalcTotalWeight
CalcTotalAttackValue
CalcTotalDefenseValue
InventoryScreen
invetoryTitleLabel
nextButtonButton
inventoryGroupBox
lootBox
ListBox
addToBagButton
bagBox
bagCountLabel
removeButton
equipButton
weaponButton
label3
headButton
label9
label8
legsButton
label7
label6
armsButton
label5
bodyButton
label4
attackLabel
defenseLabel
exceptionLabel
nextButtonButton_Click
addToBagButton_Click
removeButton_Click
lootBox_SelectedIndexChanged
bagBox_SelectedIndexChanged
equipButton_Click
changeButtons
headButton_Click
weaponButton_Click
bodyButton_Click
armsButton_Click
legsButton_Click
disableButtons
ISpell
NaturalWeapon
lowerRange
upperRange
StoredItems
_items
_count
get_Capacity
SetItem
AddItem
RemoveItem
Capacity
BronzeSword
BronzeVambraces
Character
_equipped
_currentHealth
_dead
currentHealth
get_Bag
get_Equipped
get_CurrentHealth
get_IsDead
TakeDamage
damage
Pickup
UnequipAll
Equipped
CurrentHealth
IsDead
Form1
playButton
mainMenuGroup
nameTextBox
TextBox
pictureBox1
PictureBox
playButton_Click
ResumeLayout
Gambeson
GameManager
_player
_enemy
_depth
_gameOver
_gameWon
_enemyFactory
_itemFactory
_inventoryScreenCount
get_Player
get_Enemy
get_EnemyFactory
get_Depth
get_GameOver
get_GameWon
performAttackPhase
GenerateNewEnemy
UsePoition
poitionNumber
Player
Enemy
EnemyFactory
Depth
GameOver
GameWon
IArmor
InventorySlotId
value__
UNEQUIPPABLE
HELMET
CHESTPIECE
GREAVES
VAMBRACES
WEAPON
POTION1
POTION2
IPotion
get_HealValue
HealValue
IronChestpiece
IronGreaves
IronHelmet
IronSword
IronVambraces
IComparable
get_Id
System.IComparable.CompareTo
CompareTo
Equals
GetHashCode
IWeapon
LargeHealthPotion
_healValue
_slot2
healValue
get_Slot2
Slot2
MediumHealthPotion
Program
RandomEnemyFactory
_random
_randCharacter
get_RandomNum
GenerateRandomEnemy
depth
RandomNum
RandomHealthPotion
RandomItemFactory
random
GenerateItem
enemyDifficulty
Natural
SteelSword
UltraSword
SteelHelmet
SteelChestpiece
SteelVambraces
SteelGreaves
SmallPotion
MediumPotion
LargePotion
RandomPotion
SmallHealthPotion
SteelChestPiece
button1
Resources
MidtermFirstBuild.Properties
resourceMan
ResourceManager
System.Resources
resourceCulture
CultureInfo
System.Globalization
get_ResourceManager
get_Culture
set_Culture
get_Encrypted2
get_tOOaUwruZzQLNPjsaTAlhhH
System.Drawing
Bitmap
Culture
Encrypted2
tOOaUwruZzQLNPjsaTAlhhH
Settings
ApplicationSettingsBase
System.Configuration
defaultInstance
get_Default
Default
jBeEyZQZFLS
CompilationRelaxationsAttribute
RuntimeCompatibilityAttribute
DebuggableAttribute
DebuggingModes
AssemblyTitleAttribute
System.Reflection
AssemblyDescriptionAttribute
AssemblyConfigurationAttribute
AssemblyCompanyAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyTrademarkAttribute
ComVisibleAttribute
System.Runtime.InteropServices
GuidAttribute
AssemblyFileVersionAttribute
TargetFrameworkAttribute
System.Runtime.Versioning
DesignerCategoryAttribute
ToolboxItemAttribute
XmlSchemaProviderAttribute
System.Xml.Serialization
XmlRootAttribute
HelpKeywordAttribute
System.ComponentModel.Design
DebuggerNonUserCodeAttribute
GeneratedCodeAttribute
System.CodeDom.Compiler
BrowsableAttribute
DesignerSerializationVisibilityAttribute
DesignerSerializationVisibility
DefaultMemberAttribute
CompilerGeneratedAttribute
DebuggerBrowsableAttribute
DebuggerBrowsableState
STAThreadAttribute
EditorBrowsableAttribute
EditorBrowsableState
MidtermFirstBuild.CombatScreen.resources
MidtermFirstBuild.endScreen.resources
MidtermFirstBuild.Form1.resources
MidtermFirstBuild.GameWonScreen.resources
MidtermFirstBuild.InventoryScreen.resources
MidtermFirstBuild.Properties.Resources.resources
MidtermFirstBuild.Test.resources
String
Concat
Environment
GetEnvironmentVariable
FailFast
get_ProcessName
ToLower
Contains
ParameterizedThreadStart
System.Threading
Thread
set_IsBackground
Start
get_CurrentThread
Sleep
Debugger
get_IsAttached
IsLogging
GetCurrentProcess
get_Handle
IntPtr
op_Equality
Close
get_Size
get_IsAlive
GetProcessById
Marshal
SizeOf
Win32Exception
ToInt32
ArgumentException
Int32
Assembly
GetTypes
Microsoft.VisualBasic
ProjectData
Microsoft.VisualBasic.CompilerServices
EndApp
MethodInfo
GetMethods
MethodBase
Encoding
System.Text
GetBytes
Rfc2898DeriveBytes
System.Security.Cryptography
RijndaelManaged
DeriveBytes
SymmetricAlgorithm
set_Key
set_IV
CreateDecryptor
ICryptoTransform
TransformFinalBlock
Array
Control
set_Text
set_Visible
set_Enabled
set_Dock
DockStyle
get_Controls
ControlCollection
IDisposable
ContainerControl
SuspendLayout
set_AutoSize
Point
set_Location
set_Name
set_Size
set_TabIndex
ButtonBase
set_UseVisualStyleBackColor
EventHandler
add_Click
set_TabStop
SizeF
set_AutoScaleDimensions
set_AutoScaleMode
AutoScaleMode
PerformLayout
CollectionChangeEventHandler
BeginInit
add_CollectionChanged
EndInit
IsBinarySerialized
GetTypeFromHandle
RuntimeTypeHandle
GetValue
DetermineSchemaSerializationMode
StringReader
System.IO
XmlTextReader
TextReader
ReadXmlSchema
get_DataSetName
set_DataSetName
get_Prefix
set_Prefix
get_Namespace
set_Namespace
get_Locale
set_Locale
get_CaseSensitive
set_CaseSensitive
get_EnforceConstraints
set_EnforceConstraints
Merge
MissingSchemaAction
GetSerializationData
Reset
ReadXml
XmlReadMode
MemoryStream
XmlTextWriter
Stream
WriteXmlSchema
XmlWriter
set_Position
ValidationEventHandler
CollectionChangeAction
XmlSchemaSequence
XmlSchemaAny
IEnumerator
System.Collections
XmlSchemaGroupBase
get_Items
XmlSchemaObjectCollection
XmlSchemaObject
set_Particle
XmlSchemaParticle
get_TargetNamespace
Write
Schemas
ICollection
IEnumerable
GetEnumerator
get_Current
SetLength
get_Length
get_Position
ReadByte
MoveNext
set_TableName
get_TableName
get_DataSet
op_Inequality
get_MinimumCapacity
set_MinimumCapacity
get_Rows
DataRowCollection
InternalDataCollectionBase
Delegate
Combine
Interlocked
CompareExchange
Remove
NewRow
set_ItemArray
get_Columns
DataColumnCollection
MappingType
XmlSchemaAttribute
Decimal
set_MinOccurs
set_MaxOccurs
set_ProcessContents
XmlSchemaContentProcessing
set_FixedValue
get_Attributes
get_Table
InvalidCastException
StrongTypingException
Exception
set_Item
IsNull
Convert
DBNull
ObjectCollection
Format
get_SelectedItem
get_Message
ListControl
get_SelectedIndex
Clear
set_FormattingEnabled
set_ItemHeight
set_ScrollAlwaysVisible
add_SelectedIndexChanged
get_Text
IsNullOrEmpty
ISupportInitialize
SystemColors
get_ControlDarkDark
Color
set_BackColor
FontStyle
GraphicsUnit
set_Font
set_ClientSize
NewGuid
GetType
Application
EnableVisualStyles
SetCompatibleTextRenderingDefault
get_Assembly
GetObject
SettingsBase
Synchronized
WrapNonExceptionThrows
MidtermFirstBuild
arche noVa is a non-profit- and non-governmental organisation working primarily on the field of humanitarian aid, development cooperation and education.
arche noVa
arche noVa 2020 (C)
$ac484348-a34e-4641-85f2-c1fbc9fb6bd5
2020.0.8.1
.NETFramework,Version=v4.0
FrameworkDisplayName
.NET Framework 4
GetTypedDataSetSchema
IAHDAIYGDYDGIDDD
vs.data.DataSet
(System.Data.Design.TypedDataSetGenerator
16.0.0.0
GetTypedTableSchema
3System.Resources.Tools.StronglyTypedResourceBuilder
16.0.0.0
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
16.1.0.0
_CorExeMain
mscoree.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
Encrypted2
tOOaUwruZzQLNPjsaTAlhhH
p p!p"
&x'x*x,x-p.p/p0
L Q!V"[#`$e%j&l'r)x*y,
_PROFILER
_ENABLE_PROFILING
dnspy
Bronze Greaves
Defense:
Bronze Helmet
Your bag is full, you can't hold anymore items
tOOaUwruZzQLNPjsaTAlhhH
newworldorder
MidtermFirstBuild
Attack:
Health:
Defense
Defense:
Depth:
playerName
label1
playerAttack
label2
PlayerHealth
label3
enemyName
enemyAttack
enemyHealth
attackButton
Attack
depthCounter
goToInvetoryButton
Go to invetory
combatGroupBox
Use potion 2
Use potion 1
potion2Button
button2
potion1Button
button
enemyDefense
playerDefense
CombatScreen
You won
GameWonScreen
XmlSchema
huioiyyfouewfw
IAHDAIYGDYDGIDDD
http://tempuri.org/IAHDAIYGDYDGIDDD.xsd
iashdiufhqwyeuf
DataColumn1
DataColumn2
DataColumn3
fhidfjwieuhfweiufq
http://www.w3.org/2001/XMLSchema
urn:schemas-microsoft-com:xml-diffgram-v1
namespace
tableTypeName
huioiyyfouewfwDataTable
The value for column 'iashdiufhqwyeuf' in table 'huioiyyfouewfw' is DBNull.
The value for column 'DataColumn1' in table 'huioiyyfouewfw' is DBNull.
The value for column 'DataColumn2' in table 'huioiyyfouewfw' is DBNull.
The value for column 'DataColumn3' in table 'huioiyyfouewfw' is DBNull.
The value for column 'fhidfjwieuhfweiufq' in table 'huioiyyfouewfw' is DBNull.
Storm of 100 fists
Attack:
deathScreenLabel
YOU DIED
playAgainButton
Play Again
endScreenGroupBox
endScreen
{0}/20 items
invetoryTitleLabel
Equipped Items
nextButtonButton
Next Battle
inventoryGroupBox
defenseLabel
label10
attackLabel
label9
Potion 2
button1
label8
legsButton
label7
Potion 1
label6
armsButton
label5
bodyButton
label4
Weapon
weaponButton
headButton
equipButton
Equip
removeButton
Remove
bagCountLabel
addToBagButton
Add to bag
bagBox
lootBox
exceptionLabel
InventoryScreen
Natural
Bronze Sword
Bronze Vambraces
playButton
mainMenuGroup
nameTextBox
Papyrus
Please enter your name
pictureBox1
Form1
Form2
Gambeson
The End
Iron ChestPiece
Iron Greaves
Iron Helmet
Iron Sword
Iron Vambraces
Large Health Potion
Heal value:
Medium Health Potion
The Shatterd One
The Guardian
Agatha the crusher
Goblin
Undead
Kobold
Wizard
Juggernaught
Dragon
Random Health Potion
Small Health Potion
Steel ChestPiece
Steel Greaves
Steel Helmet
Steel Sword
Steel Vambraces
Ultra Sword
MidtermFirstBuild.Properties.Resources
Encrypted2
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
Comments
arche noVa is a non-profit- and non-governmental organisation working primarily on the field of humanitarian aid, development cooperation and education.
CompanyName
arche noVa
FileDescription
MidtermFirstBuild
FileVersion
2020.0.8.1
InternalName
jBeEyZQZFLS.exe
LegalCopyright
arche noVa 2020 (C)
LegalTrademarks
arche noVa
OriginalFilename
jBeEyZQZFLS.exe
ProductName
MidtermFirstBuild
ProductVersion
2020.0.8.1
Assembly Version
2020.0.8.1

Full Results

Engine Signature Engine Signature Engine Signature
Bkav Clean DrWeb BackDoor.SpyBotNET.17 MicroWorld-eScan Gen:Variant.Razy.673954
CMC Clean CAT-QuickHeal Trojan.Sonbokli McAfee Trojan-FSJJ!389FCC1B4DA0
Malwarebytes Trojan.PCrypt.MSIL.Generic VIPRE Trojan.Win32.Generic!BT Sangfor Malware
K7AntiVirus Trojan ( 0056739f1 ) BitDefender Gen:Variant.Razy.673954 K7GW Trojan ( 0056739f1 )
Cybereason Clean BitDefenderTheta Gen:[email protected] Cyren W32/MSIL_Kryptik.ASY.gen!Eldorado
Symantec Trojan.Gen.2 ESET-NOD32 a variant of MSIL/Kryptik.WAD APEX Malicious
Avast Win32:PWSX-gen [Trj] ClamAV Clean GData Gen:Variant.Razy.673954
Kaspersky HEUR:Backdoor.MSIL.Remcos.gen Alibaba TrojanSpy:MSIL/AgentTesla.47db0d60 NANO-Antivirus Trojan.Win32.SpyBotNET.hknrdj
ViRobot Trojan.Win32.S.Infostealer.418816 AegisLab Trojan.MSIL.Remcos.m!c Rising Backdoor.Remcos!8.B89E (CLOUD)
Endgame malicious (high confidence) Sophos Mal/Generic-S Comodo Clean
F-Secure Trojan.TR/AD.AgentTesla.moalm Baidu Clean Zillya Trojan.Kryptik.Win32.2038691
Invincea heuristic McAfee-GW-Edition BehavesLike.Win32.Generic.gc Trapmine Clean
Emsisoft Gen:Variant.Razy.673954 (B) SentinelOne DFI - Malicious PE F-Prot W32/MSIL_Kryptik.ASY.gen!Eldorado
Jiangmin Backdoor.MSIL.cync MaxSecure Trojan.Malware.300983.susgen Avira TR/AD.AgentTesla.moalm
MAX malware (ai score=80) Antiy-AVL Trojan[Backdoor]/MSIL.Remcos Kingsoft Clean
Arcabit Clean SUPERAntiSpyware Clean AhnLab-V3 Malware/Win32.RL_Generic.C4106668
ZoneAlarm HEUR:Backdoor.MSIL.Remcos.gen Avast-Mobile Clean Cynet Clean
TotalDefense Clean Acronis Clean ALYac Gen:Variant.Razy.673954
TACHYON Clean Ad-Aware Gen:Variant.Razy.673954 Cylance Unsafe
Panda Trj/GdSda.A Zoner Clean TrendMicro-HouseCall TROJ_GEN.R002C0DEP20
Tencent Win32.Trojan.Inject.Auto Yandex Trojan.Kryptik!g4ZmPSPSfc4 Ikarus Trojan.MSIL.Krypt
eGambit Clean Fortinet MSIL/Agent.9D7E!tr Webroot Clean
AVG Win32:PWSX-gen [Trj] Paloalto generic.ml CrowdStrike win/malicious_confidence_70% (W)
Qihoo-360 Generic/Backdoor.23a
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.1.7 55169 1.1.1.1 53
192.168.1.7 56221 1.1.1.1 53
192.168.1.7 57251 1.1.1.1 53
192.168.1.7 62371 1.1.1.1 53
192.168.1.7 137 192.168.1.255 137
192.168.1.7 55169 8.8.8.8 53
192.168.1.7 56221 8.8.8.8 53
192.168.1.7 57251 8.8.8.8 53
192.168.1.7 62371 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.
Defense Evasion
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1045 - Software Packing
    • Signature - packer_entropy

    Processing ( 1.338 seconds )

    • 0.516 Static
    • 0.225 VirusTotal
    • 0.205 BehaviorAnalysis
    • 0.173 static_dotnet
    • 0.066 CAPE
    • 0.041 NetworkAnalysis
    • 0.04 TargetInfo
    • 0.027 Deduplicate
    • 0.019 AnalysisInfo
    • 0.014 Strings
    • 0.006 peid
    • 0.005 Debug
    • 0.001 Suricata

    Signatures ( 0.26000000000000006 seconds )

    • 0.049 antiav_detectreg
    • 0.02 infostealer_ftp
    • 0.017 territorial_disputes_sigs
    • 0.013 antiav_detectfile
    • 0.013 masquerade_process_name
    • 0.012 infostealer_im
    • 0.01 antianalysis_detectreg
    • 0.01 ransomware_files
    • 0.008 infostealer_bitcoin
    • 0.007 antianalysis_detectfile
    • 0.006 infostealer_mail
    • 0.006 ransomware_extensions
    • 0.005 antivm_vbox_files
    • 0.005 antivm_vbox_keys
    • 0.004 stealth_timeout
    • 0.003 api_spamming
    • 0.003 decoy_document
    • 0.003 persistence_autorun
    • 0.003 NewtWire Behavior
    • 0.003 antivm_vmware_keys
    • 0.003 geodo_banking_trojan
    • 0.003 qulab_files
    • 0.002 Doppelganging
    • 0.002 Unpacker
    • 0.002 antiemu_wine_func
    • 0.002 betabot_behavior
    • 0.002 dynamic_function_loading
    • 0.002 kibex_behavior
    • 0.002 antidbg_devices
    • 0.002 antivm_parallels_keys
    • 0.002 antivm_xen_keys
    • 0.002 predatorthethief_files
    • 0.001 InjectionCreateRemoteThread
    • 0.001 InjectionProcessHollowing
    • 0.001 antiav_avast_libs
    • 0.001 antidebug_guardpages
    • 0.001 antivm_generic_disk
    • 0.001 antivm_generic_scsi
    • 0.001 antivm_generic_services
    • 0.001 exec_crash
    • 0.001 hawkeye_behavior
    • 0.001 infostealer_browser_password
    • 0.001 injection_createremotethread
    • 0.001 injection_runpe
    • 0.001 kazybot_behavior
    • 0.001 kovter_behavior
    • 0.001 malicious_dynamic_function_loading
    • 0.001 mimics_filetime
    • 0.001 network_tor
    • 0.001 reads_self
    • 0.001 shifu_behavior
    • 0.001 tinba_behavior
    • 0.001 vawtrak_behavior
    • 0.001 virus
    • 0.001 antivm_generic_diskreg
    • 0.001 antivm_vbox_devices
    • 0.001 antivm_vmware_files
    • 0.001 antivm_vpc_keys
    • 0.001 ketrican_regkeys
    • 0.001 browser_security
    • 0.001 codelux_behavior
    • 0.001 disables_browser_warn
    • 0.001 revil_mutexes
    • 0.001 limerat_regkeys
    • 0.001 rat_pcclient
    • 0.001 recon_fingerprint

    Reporting ( 2.853 seconds )

    • 2.787 BinGraph
    • 0.063 MITRE_TTPS
    • 0.003 PCAP2CERT