1.5
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.59
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | Trojan:Win32/Ausiv.05c829ce | 20190527 | 0.3.0.5 |
| Avast | Win32:Agent-BCFZ [Trj] | 20191123 | 18.4.3895.0 |
| Baidu | None | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (W) | 20190702 | 1.0 |
| Kingsoft | None | 20191123 | 2013.8.14.323 |
| McAfee | Packed-SU!E4CD0B26FD43 | 20191123 | 6.0.6.653 |
| Tencent | Trojan.Win32.Kryptik.fwwy | 20191123 | 1.0.0.1 |
静态指标
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(2 个事件)
| section | .code |
| section | .NewSec |
动态指标
在文件系统上创建可执行文件
(50 out of 55 个事件)
| file | c:\Program Files (x86)\360\360DrvMgr\drv_uninst.exe |
| file | c:\Program Files (x86)\360\360TptMon\deepscan\heavygate.dll |
| file | c:\Program Files (x86)\360\360DrvMgr\ScriptExecute.exe |
| file | c:\gcoxh\bin\execsc.exe |
| file | c:\Program Files (x86)\360\360DrvMgr\feedback\DrvMgrFeedBack.exe |
| file | c:\Program Files (x86)\360\360DrvMgr\360net.dll |
| file | c:\Program Files (x86)\360\360DrvMgr\SignHelper.dll |
| file | c:\honoyvla\bin\is32bit.exe |
| file | c:\honoyvla\bin\inject-x86.exe |
| file | c:\Program Files (x86)\360\360TptMon\InstallTMDB64.exe |
| file | c:\Program Files (x86)\360\360TptMon\feedback\360ScreenCapture.exe |
| file | c:\Program Files (x86)\360\360TptMon\feedback\TptMonFeedBack.exe |
| file | c:\Program Files (x86)\Common Files\microsoft shared\VC\msdia80.dll |
| file | c:\Program Files (x86)\360\360TptMon\Uninstall.exe |
| file | c:\Program Files (x86)\360\360DrvMgr\atiags32.dll |
| file | c:\Program Files (x86)\360\360DrvMgr\DIFxAPI_x86.dll |
| file | c:\Program Files (x86)\360\360DrvMgr\DrvInst64.exe |
| file | c:\Program Files (x86)\Common Files\microsoft shared\VC\msdia100.dll |
| file | c:\gcoxh\bin\Procmon.exe |
| file | c:\Program Files (x86)\360\360DrvMgr\dynlbase.dll |
| file | c:\gcoxh\bin\monitor-x86.dll |
| file | c:\Program Files (x86)\360\360DrvMgr\LiveUpdate360.exe |
| file | c:\Program Files\Common Files\Microsoft Shared\VC\msdia100.dll |
| file | c:\Program Files (x86)\360\360DrvMgr\7z.dll |
| file | c:\Program Files (x86)\360\360DrvMgr\360NetUL.dll |
| file | c:\Program Files (x86)\360\360DrvMgr\360P2SP.dll |
| file | c:\Program Files (x86)\360\360TptMon\MiniUI.dll |
| file | c:\gcoxh\bin\is32bit.exe |
| file | c:\Program Files (x86)\360\360DrvMgr\Utils\360ini.dll |
| file | c:\Program Files (x86)\360\360DrvMgr\Utils\dll_service.exe |
| file | c:\Program Files (x86)\360\360DrvMgr\sqlite3.dll |
| file | c:\install.exe |
| file | c:\Program Files (x86)\360\360DrvMgr\ComputerZ2.dll |
| file | c:\Program Files (x86)\360\360DrvMgr\LiveUpd360.dll |
| file | c:\honoyvla\bin\inject-x64.exe |
| file | c:\Program Files (x86)\Common Files\microsoft shared\VC\msdia90.dll |
| file | c:\gcoxh\bin\inject-x86.exe |
| file | c:\honoyvla\bin\execsc.exe |
| file | c:\gcoxh\bin\inject-x64.exe |
| file | c:\Program Files (x86)\360\360DrvMgr\feedback\360ScreenCapture.exe |
| file | c:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll |
| file | c:\Program Files (x86)\360\360TptMon\InstallTMDB.exe |
| file | c:\Program Files (x86)\360\360TptMon\deepscan\cloudcom2.dll |
| file | c:\Program Files (x86)\360\360DrvMgr\360Common.dll |
| file | c:\Program Files (x86)\360\360DrvMgr\dynlenv.dll |
| file | c:\Program Files (x86)\360\360DrvMgr\7za.dll |
| file | c:\Program Files (x86)\360\360TptMon\360NetUL.dll |
| file | c:\install.res.2052.dll |
| file | c:\Program Files (x86)\360\360DrvMgr\ComputerZ5.dll |
| file | c:\Program Files (x86)\Common Files\microsoft shared\VC\amd64\msdia80.dll |
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
通过文件的存在尝试检测Cuckoo Sandbox
(2 个事件)
| file | c:\gcoxh\analyzer.py |
| file | c:\honoyvla\analyzer.py |
文件已被 VirusTotal 上 58 个反病毒引擎识别为恶意
(50 out of 58 个事件)
| ALYac | Gen:Variant.Ulise.1219 |
| APEX | Malicious |
| AVG | Win32:Agent-BCFZ [Trj] |
| Acronis | suspicious |
| Ad-Aware | Gen:Variant.Ulise.1219 |
| AhnLab-V3 | Trojan/Win32.Ransom.R213603 |
| Alibaba | Trojan:Win32/Ausiv.05c829ce |
| Arcabit | Trojan.Ulise.D4C3 |
| Avast | Win32:Agent-BCFZ [Trj] |
| Avira | TR/ATRAPS.Gen2 |
| BitDefender | Gen:Variant.Ulise.1219 |
| BitDefenderTheta | Gen:NN.ZexaF.32253.tzZ@a8Hp6rci |
| Bkav | W32.OverlayND.PE |
| CAT-QuickHeal | W32.Sivis.A5 |
| ClamAV | Win.Packed.Sivis-6726654-0 |
| Comodo | Virus.Win32.VirLock.GA@7lv9go |
| CrowdStrike | win/malicious_confidence_100% (W) |
| Cybereason | malicious.6fd436 |
| Cylance | Unsafe |
| Cyren | W32/S-a846205f!Eldorado |
| DrWeb | Trojan.Encoder.14453 |
| ESET-NOD32 | Win32/Ausiv.A |
| Emsisoft | Gen:Variant.Ulise.1219 (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/S-a846205f!Eldorado |
| F-Secure | Trojan.TR/ATRAPS.Gen2 |
| FireEye | Generic.mg.e4cd0b26fd436d45 |
| Fortinet | W32/Ausiv.A |
| GData | Gen:Variant.Ulise.1219 |
| Ikarus | Trojan.Win32.Ausiv |
| Invincea | heuristic |
| Jiangmin | Packed.Krap.fyig |
| K7AntiVirus | Trojan ( 005205011 ) |
| K7GW | Trojan ( 00517a0d1 ) |
| Kaspersky | Packed.Win32.Krap.jc |
| MAX | malware (ai score=80) |
| Malwarebytes | Ransom.Winlock |
| McAfee | Packed-SU!E4CD0B26FD43 |
| McAfee-GW-Edition | BehavesLike.Win32.Sivis.tm |
| MicroWorld-eScan | Gen:Variant.Ulise.1219 |
| Microsoft | Trojan:Win32/Ausiv |
| NANO-Antivirus | Trojan.Win32.Krap.espnuv |
| Panda | Trj/Genetic.gen |
| Qihoo-360 | Win32/Trojan.4a8 |
| Rising | Virus.Sivis!1.A647 (CLASSIC) |
| SUPERAntiSpyware | Ransom.Winlock/Variant |
| SentinelOne | DFI - Malicious PE |
| Sophos | W32/Sivis-B |
| Symantec | W32.Suviapen |
| Tencent | Trojan.Win32.Kryptik.fwwy |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2010-08-01 18:32:37
PE Imphash
a8f69eb2cf9f30ea96961c86b4347282
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .code | 0x00001000 | 0x00000731 | 0x00000731 | 5.3388387628341984 |
| .text | 0x00002000 | 0x00001998 | 0x00001998 | 6.191552965438028 |
| .rdata | 0x00004000 | 0x0000001c | 0x0000001c | 1.7695459925589747 |
| .data | 0x00005000 | 0x000007a8 | 0x000007a8 | 4.978687910630875 |
| .rsrc | 0x00006000 | 0x000002bc | 0x000002bc | 5.067445284189073 |
| .NewSec | 0x00007000 | 0x00001000 | 0x00001000 | 0.5323488848091313 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_MANIFEST | 0x00006058 | 0x00000263 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library MSVCRT.dll:
• 0x4051fc memset
• 0x405200 memcpy
• 0x405204 _stricmp
• 0x405208 strncmp
• 0x40520c _strnicmp
• 0x405210 strcmp
• 0x405214 memmove
• 0x405218 strlen
• 0x40521c strcpy
• 0x405220 strcat
• 0x405224 strncpy
Library KERNEL32.dll:
• 0x40522c GetModuleHandleA
• 0x405230 HeapCreate
• 0x405234 HeapDestroy
• 0x405238 ExitProcess
• 0x40523c GetCurrentThreadId
• 0x405240 GetTickCount
• 0x405244 HeapAlloc
• 0x405248 HeapFree
• 0x40524c WriteFile
• 0x405250 CloseHandle
• 0x405254 CreateFileA
• 0x405258 GetFileSize
• 0x40525c ReadFile
• 0x405260 SetFilePointer
• 0x405264 InitializeCriticalSection
• 0x405268 GetModuleFileNameA
• 0x40526c GetCurrentProcess
• 0x405270 DuplicateHandle
• 0x405274 CreatePipe
• 0x405278 GetStdHandle
• 0x40527c CreateProcessA
• 0x405280 WaitForSingleObject
• 0x405284 EnterCriticalSection
• 0x405288 LeaveCriticalSection
• 0x40528c GetCurrentProcessId
• 0x405290 GetDriveTypeA
• 0x405294 FindFirstFileA
• 0x405298 FindClose
• 0x40529c GetFileAttributesA
• 0x4052a0 CreateDirectoryA
• 0x4052a4 GetLastError
• 0x4052a8 FindNextFileA
• 0x4052ac SetFileAttributesA
• 0x4052b0 HeapReAlloc
Library COMCTL32.DLL:
• 0x4052b8 InitCommonControls
Library USER32.DLL:
• 0x4052c0 MessageBoxA
• 0x4052c4 GetWindowThreadProcessId
• 0x4052c8 IsWindowVisible
• 0x4052cc IsWindowEnabled
• 0x4052d0 GetForegroundWindow
• 0x4052d4 EnableWindow
• 0x4052d8 EnumWindows
Library SHELL32.DLL:
• 0x4052e0 ShellExecuteExA
Library OLE32.DLL:
• 0x4052e8 CoInitialize
L!This program cannot be run in DOS mode.
`.rdata
@.data
@.NewSec
RR G n
^UQQ=`W@
EPEPV@
UQ=`W@
ADiS3B+
QSUVWD$
u8-TR@
tQ3;tKxP@
_^][Y_^][Y
_^]3[Y
UQV5lR@
SVW3jD^V3ESGPE`
]X]P]D]\]H]T]@]LE0
t3SE0PEPPEXP
E<trEx
t3SE0PE\PEDP
Ex t3SE0PETPEHP
?"E|t#
]tE PEPutSu`uLSSu|S
u\9]Xt
uX9]Tt
uTu$Ex
9]<tEW@
j(hdW@
u\9]Dt
uD9]Pt
uP9]Xt
uX9]Tt
uT9]Ht
9]tu4W
t8;Yv%>\t
E|Y+Y\
Etj<^VESP
EEtEEpE
9]<t:W@
j(hdW@
u|S5V@
E@_^[d
=V5lW@
I9\tPP
.\u%\u
SVW339
YY?Vt$
VW=DR@
]UQtW@
EEPMQUR
Information
Couldn't open the file!
C:/exp/
[File]
[Sub-Dir]
o%}oooooEo%o
[}#}9}S}P}%[}}
}>}My}3}]}#C}8}k
}h}8});}
'}&}O=}
}@}$)}3}[}
D}U6}=}U=}p'}
memset
MSVCRT.dll
GetModuleHandleA
HeapCreate
HeapDestroy
ExitProcess
KERNEL32.dll
memcpy
_stricmp
strncmp
_strnicmp
strcmp
memmove
strlen
strcpy
strcat
strncpy
GetCurrentThreadId
GetTickCount
HeapAlloc
HeapFree
WriteFile
CloseHandle
CreateFileA
GetFileSize
ReadFile
SetFilePointer
InitializeCriticalSection
GetModuleFileNameA
GetCurrentProcess
DuplicateHandle
CreatePipe
GetStdHandle
CreateProcessA
WaitForSingleObject
EnterCriticalSection
LeaveCriticalSection
GetCurrentProcessId
GetDriveTypeA
FindFirstFileA
FindClose
GetFileAttributesA
CreateDirectoryA
GetLastError
FindNextFileA
SetFileAttributesA
HeapReAlloc
InitCommonControls
COMCTL32.DLL
MessageBoxA
GetWindowThreadProcessId
IsWindowVisible
IsWindowEnabled
GetForegroundWindow
EnableWindow
EnumWindows
USER32.DLL
ShellExecuteExA
SHELL32.DLL
CoInitialize
OLE32.DLL
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity
version="1.0.0.0"
processorArchitecture="X86"
name="CompanyName.ProductName.YourApp"
type="win32" />
<description></description>
<dependency>
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
processorArchitecture="X86"
publicKeyToken="6595b64144ccf1df"
language="*" />
</dependentAssembly>
</dependency>
</assembly>
11CK3R1Z@HR1Z@=
uR1ZS1[@H3CKAI@R1Z@H=
uAI3S1[CKR1Z@Q1YBJR1Z=
uQ1YQ1Y
R1ZAI0TS1[BJ0S1[(R1Z(
mAI0(CK0fR1Z
visuavisua
visua# Copyright (C) 2010-2015 Cuckoo Foundation, Optiv, Inc. (brad.spengler@optiv.com)
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
import os
import logging
import random
import subprocess
import platform
import urllib
import base64
from time import time
from ctypes import byref, c_ulong, create_string_buffer, c_int, sizeof
from shutil import copy
from lib.common.constants import PIPE, PATHS, SHUTDOWN_MUTEX, TERMINATE_EVENT, LOGSERVER_PREFIX
from lib.common.constants import CUCKOOMON32_NAME, CUCKOOMON64_NAME, LOADER32_NAME, LOADER64_NAME, CAWSMON32_NAME, CAWSMON64_NAME
from lib.common.defines import ULONG_PTR
from lib.common.defines import KERNEL32, NTDLL, SYSTEM_INFO, STILL_ACTIVE
from lib.common.defines import THREAD_ALL_ACCESS, PROCESS_ALL_ACCESS, TH32CS_SNAPPROCESS
from lib.common.defines import STARTUPINFO, PROCESS_INFORMATION, PROCESSENTRY32
from lib.common.defines import CREATE_NEW_CONSOLE, CREATE_SUSPENDED
from lib.common.defines import MEM_RESERVE, MEM_COMMIT, PAGE_READWRITE
from lib.common.defines import MEMORY_BASIC_INFORMATION
from lib.common.defines import WAIT_TIMEOUT, EVENT_MODIFY_STATE
from lib.common.defines import MEM_IMAGE, MEM_MAPPED, MEM_PRIVATE
from lib.common.defines import GENERIC_READ, GENERIC_WRITE, OPEN_EXISTING
from lib.common.errors import get_error_string
from lib.common.rand import random_string
from lib.common.results import NetlogFile
from lib.core.config import Config
from lib.core.log import LogServer
IOCTL_PID = 0x222008
IOCTL_CUCKOO_PATH = 0x22200C
PATH_KERNEL_DRIVER = "\\\\.\\DriverSSDT"
LOGSERVER_POOL = dict()
ATTEMPTED_APC_INJECTS = dict()
ATTEMPTED_THREAD_INJECTS = dict()
log = logging.getLogger(__name__)
def is_os_64bit():
return platform.machine().endswith('64')
def get_referrer_url(interest):
"""Get a Google referrer URL
@return: URL to be added to the analysis config
"""
if "://" not in interest:
return ""
escapedurl = urllib.quote(interest, '')
itemidx = str(random.randint(1, 30))
vedstr = "0CCEQfj" + base64.urlsafe_b64encode(random_string(random.randint(5, 8) * 3))
eistr = base64.urlsafe_b64encode(random_string(12))
usgstr = "AFQj" + base64.urlsafe_b64encode(random_string(12))
referrer = "http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd={0}&ved={1}&url={2}&ei={3}&usg={4}".format(itemidx, vedstr, escapedurl, eistr, usgstr)
return referrer
class Process:
"""Windows process."""
process_num = 0
# This adds 1 up to 30 times of 20 minutes to the startup
# time of the process, therefore bypassing anti-vm checks
# which check whether the VM has only been up for <10 minutes.
startup_time = random.randint(1, 30) * 20 * 60 * 1000
def __init__(self, pid=0, h_process=0, thread_id=0, h_thread=0, suspended=False):
"""@param pid: PID.
@param h_process: process handle.
@param thread_id: thread id.
@param h_thread: thread handle.
"""
self.pid = pid
self.h_process = h_process
self.thread_id = thread_id
self.h_thread = h_thread
self.suspended = suspended
self.system_info = SYSTEM_INFO()
self.critical = False
def __del__(self):
"""Close open handles."""
if self.h_process and self.h_process != KERNEL32.GetCurrentProcess():
KERNEL32.CloseHandle(self.h_process)
if self.h_thread:
KERNEL32.CloseHandle(self.h_thread)
def get_system_info(self):
"""Get system information."""
KERNEL32.GetSystemInfo(byref(self.system_info))
def open(self):
"""Open a process and/or thread.
@return: operation status.
"""
ret = bool(self.pid or self.thread_id)
if self.pid and not self.h_process:
if self.pid == os.getpid():
self.h_process = KERNEL32.GetCurrentProcess()
else:
self.h_process = KERNEL32.OpenProcess(PROCESS_ALL_ACCESS,
False,
self.pid)
ret = True
if self.thread_id and not self.h_thread:
self.h_thread = KERNEL32.OpenThread(THREAD_ALL_ACCESS,
False,
self.thread_id)
ret = True
return ret
def close(self):
"""Close any open handles.
@return: operation status.
"""
ret = bool(self.h_process or self.h_thread)
NT_SUCCESS = lambda val: val >= 0
if self.h_process:
ret = NT_SUCCESS(KERNEL32.CloseHandle(self.h_process))
self.h_process = None
if self.h_thread:
ret = NT_SUCCESS(KERNEL32.CloseHandle(self.h_thread))
self.h_thread = None
return ret
def exit_code(self):
"""Get process exit code.
@return: exit code value.
"""
if not self.h_process:
self.open()
exit_code = c_ulong(0)
KERNEL32.GetExitCodeProcess(self.h_process, byref(exit_code))
return exit_code.value
def get_filepath(self):
"""Get process image file path.
@return: decoded file path.
"""
if not self.h_process:
self.open()
NT_SUCCESS = lambda val: val >= 0
pbi = create_string_buffer(530)
size = c_int()
# Set return value to signed 32bit integer.
NTDLL.NtQueryInformationProcess.restype = c_int
ret = NTDLL.NtQueryInformationProcess(self.h_process,
27,
byref(pbi),
sizeof(pbi),
byref(size))
if NT_SUCCESS(ret) and size.value > 8:
try:
fbuf = pbi.raw[8:]
fbuf = fbuf[:fbuf.find('\0\0')+1]
return fbuf.decode('utf16', errors="ignore")
except:
return ""
return ""
def is_alive(self):
"""Process is alive?
@return: process status.
"""
return self.exit_code() == STILL_ACTIVE
def set_critical(self):
self.critical = True
def is_critical(self):
"""Determines if process is 'critical' or not, so we can prevent
terminating it
"""
if not self.h_process:
self.open()
if self.critical:
return True
NT_SUCCESS = lambda val: val >= 0
val = c_ulong(0)
retlen = c_ulong(0)
ret = NTDLL.NtQueryInformationProcess(self.h_process, 29, byref(val), sizeof(val), byref(retlen))
if NT_SUCCESS(ret) and val.value:
return True
return False
def get_parent_pid(self):
"""Get the Parent Process ID."""
if not self.h_process:
self.open()
NT_SUCCESS = lambda val: val >= 0
pbi = (ULONG_PTR * 6)()
size = c_ulong()
# Set return value to signed 32bit integer.
NTDLL.NtQueryInformationProcess.restype = c_int
ret = NTDLL.NtQueryInformationProcess(self.h_process,
0,
byref(pbi),
sizeof(pbi),
byref(size))
if NT_SUCCESS(ret) and size.value == sizeof(pbi):
return pbi[5]
return None
def kernel_analyze(self):
"""zer0m0n kernel analysis
"""
log.info("Starting kernel analysis")
log.info("Installing driver")
if is_os_64bit():
sys_file = os.path.join(os.getcwd(), "dll", "zer0m0n_x64.sys")
else:
sys_file = os.path.join(os.getcwd(), "dll", "zer0m0n.sys")
exe_file = os.path.join(os.getcwd(), "dll", "logs_dispatcher.exe")
if not sys_file or not exe_file or not os.path.exists(sys_file) or not os.path.exists(exe_file):
log.warning("No valid zer0m0n files to be used for process with pid %d, injection aborted", self.pid)
return False
exe_name = random_string(6)
service_name = random_string(6)
driver_name = random_string(6)
inf_data = '[Version]\r\nSignature = "$Windows NT$"\r\nClass = "ActivityMonitor"\r\nClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2}\r\nProvider= %Prov%\r\nDriverVer = 22/01/2014,1.0.0.0\r\nCatalogFile = %DriverName%.cat\r\n[DestinationDirs]\r\nDefaultDestDir = 12\r\nMiniFilter.DriverFiles = 12\r\n[DefaultInstall]\r\nOptionDesc = %ServiceDescription%\r\nCopyFiles = MiniFilter.DriverFiles\r\n[DefaultInstall.Services]\r\nAddService = %ServiceName%,,MiniFilter.Service\r\n[DefaultUninstall]\r\nDelFiles = MiniFilter.DriverFiles\r\n[DefaultUninstall.Services]\r\nDelService = %ServiceName%,0x200\r\n[MiniFilter.Service]\r\nDisplayName= %ServiceName%\r\nDescription= %ServiceDescription%\r\nServiceBinary= %12%\\%DriverName%.sys\r\nDependencies = "FltMgr"\r\nServiceType = 2\r\nStartType = 3\r\nErrorControl = 1\r\nLoadOrderGroup = "FSFilter Activity Monitor"\r\nAddReg = MiniFilter.AddRegistry\r\n[MiniFilter.AddRegistry]\r\nHKR,,"DebugFlags",0x00010001 ,0x0\r\nHKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance%\r\nHKR,"Instances\\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude%\r\nHKR,"Instances\\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags%\r\n[MiniFilter.DriverFiles]\r\n%DriverName%.sys\r\n[SourceDisksFiles]\r\n'+driver_name+'.sys = 1,,\r\n[SourceDisksNames]\r\n1 = %DiskId1%,,,\r\n[Strings]\r\n'+'Prov = "'+random_string(8)+'"\r\nServiceDescription = "'+random_string(12)+'"\r\nServiceName = "'+service_name+'"\r\nDriverName = "'+driver_name+'"\r\nDiskId1 = "'+service_name+' Device Installation Disk"\r\nDefaultInstance = "'+service_name+' Instance"\r\nInstance1.Name = "'+service_name+' Instance"\r\nInstance1.Altitude = "370050"\r\nInstance1.Flags = 0x0'
new_inf = os.path.join(os.getcwd(), "dll", "{0}.inf".format(service_name))
new_sys = os.path.join(os.getcwd(), "dll", "{0}.sys".format(driver_name))
copy(sys_file, new_sys)
new_exe = os.path.join(os.getcwd(), "dll", "{0}.exe".format(exe_name))
copy(exe_file, new_exe)
log.info("[-] Driver name : "+new_sys)
log.info("[-] Inf name : "+new_inf)
log.info("[-] Application name : "+new_exe)
log.info("[-] Service : "+service_name)
fh = open(new_inf,"w")
fh.write(inf_data)
fh.close()
os_is_64bit = is_os_64bit()
if os_is_64bit:
wow64 = c_ulong(0)
KERNEL32.Wow64DisableWow64FsRedirection(byref(wow64))
os.system('cmd /c "rundll32 setupapi.dll, InstallHinfSection DefaultInstall 132 '+new_inf+'"')
os.system("net start "+service_name)
si = STARTUPINFO()
si.cb = sizeof(si)
pi = PROCESS_INFORMATION()
cr = CREATE_NEW_CONSOLE
ldp = KERNEL32.CreateProcessA(new_exe, None, None, None, None, cr, None, os.getenv("TEMP"), byref(si), byref(pi))
if not ldp:
if os_is_64bit:
KERNEL32.Wow64RevertWow64FsRedirection(wow64)
log.error("Failed starting "+exe_name+".exe.")
return False
config_path = os.path.join(os.getenv("TEMP"), "%s.ini" % self.pid)
with open(config_path, "w") as config:
cfg = Config("analysis.conf")
config.write("host-ip={0}\n".format(cfg.ip))
config.write("host-port={0}\n".format(cfg.port))
config.write("pipe={0}\n".format(PIPE))
log.info("Sending startup information")
hFile = KERNEL32.CreateFileA(PATH_KERNEL_DRIVER, GENERIC_READ|GENERIC_WRITE,
0, None, OPEN_EXISTING, 0, None)
if os_is_64bit:
KERNEL32.Wow64RevertWow64FsRedirection(wow64)
if hFile:
p = Process(pid=os.getpid())
ppid = p.get_parent_pid()
pid_vboxservice = 0
pid_vboxtray = 0
# get pid of VBoxService.exe and VBoxTray.exe
proc_info = PROCESSENTRY32()
proc_info.dwSize = sizeof(PROCESSENTRY32)
snapshot = KERNEL32.CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
flag = KERNEL32.Process32First(snapshot, byref(proc_info))
while flag:
if proc_info.sz_exeFile == "VBoxService.exe":
log.info("VBoxService.exe found !")
pid_vboxservice = proc_info.th32ProcessID
flag = 0
elif proc_info.sz_exeFile == "VBoxTray.exe":
pid_vboxtray = proc_info.th32ProcessID
log.info("VBoxTray.exe found !")
flag = 0
flag = KERNEL32.Process32Next(snapshot, byref(proc_info))
bytes_returned = c_ulong(0)
msg = str(self.pid)+"_"+str(ppid)+"_"+str(os.getpid())+"_"+str(pi.dwProcessId)+"_"+str(pid_vboxservice)+"_"+str(pid_vboxtray)+'\0'
KERNEL32.DeviceIoControl(hFile, IOCTL_PID, msg, len(msg), None, 0, byref(bytes_returned), None)
msg = os.getcwd()+'\0'
KERNEL32.DeviceIoControl(hFile, IOCTL_CUCKOO_PATH, unicode(msg), len(unicode(msg)), None, 0, byref(bytes_returned), None)
else:
log.warning("Failed to access kernel driver")
return True
def execute(self, path, args=None, suspended=False, kernel_analysis=False):
"""Execute sample process.
@param path: sample path.
@param args: process args.
@param suspended: is suspended.
@return: operation status.
"""
if not os.access(path, os.X_OK):
log.error("Unable to access file at path \"%s\", "
"execution aborted", path)
return False
startup_info = STARTUPINFO()
startup_info.cb = sizeof(startup_info)
# STARTF_USESHOWWINDOW
startup_info.dwFlags = 1
# SW_SHOWNORMAL
startup_info.wShowWindow = 1
process_info = PROCESS_INFORMATION()
arguments = "\"" + path + "\" "
if args:
arguments += args
creation_flags = CREATE_NEW_CONSOLE
if suspended:
self.suspended = True
creation_flags += CREATE_SUSPENDED
created = KERNEL32.CreateProcessA(path,
arguments,
None,
None,
None,
creation_flags,
None,
os.getenv("TEMP"),
byref(startup_info),
byref(process_info))
if created:
self.pid = process_info.dwProcessId
self.h_process = process_info.hProcess
self.thread_id = process_info.dwThreadId
self.h_thread = process_info.hThread
log.info("Successfully executed process from path \"%s\" with "
"arguments \"%s\" with pid %d", path, args or "", self.pid)
if kernel_analysis:
return self.kernel_analyze()
return True
else:
log.error("Failed to execute process from path \"%s\" with "
"arguments \"%s\" (Error: %s)", path, args,
get_error_string(KERNEL32.GetLastError()))
return False
def resume(self):
"""Resume a suspended thread.
@return: operation status.
"""
if not self.suspended:
log.warning("The process with pid %d was not suspended at creation"
% self.pid)
return False
if not self.h_thread:
return False
KERNEL32.Sleep(2000)
if KERNEL32.ResumeThread(self.h_thread) != -1:
self.suspended = False
log.info("Successfully resumed process with pid %d", self.pid)
return True
else:
log.error("Failed to resume process with pid %d", self.pid)
return False
def set_terminate_event(self):
"""Sets the termination event for the process.
"""
if self.h_process == 0:
self.open()
event_name = TERMINATE_EVENT + str(self.pid)
event_handle = KERNEL32.OpenEventA(EVENT_MODIFY_STATE, False, event_name)
if event_handle:
# make sure process is aware of the termination
KERNEL32.SetEvent(event_handle)
KERNEL32.CloseHandle(event_handle)
KERNEL32.Sleep(500)
def terminate(self):
"""Terminate process.
@return: operation status.
"""
if self.h_process == 0:
self.open()
if KERNEL32.TerminateProcess(self.h_process, 1):
log.info("Successfully terminated process with pid %d.", self.pid)
return True
else:
log.error("Failed to terminate process with pid %d.", self.pid)
return False
def is_64bit(self):
"""Determines if a process is 64bit.
@return: True if 64bit, False if not
"""
if self.h_process == 0:
self.open()
try:
val = c_int(0)
ret = KERNEL32.IsWow64Process(self.h_process, byref(val))
if ret and not val.value and is_os_64bit():
return True
except:
pass
return False
def old_inject(self, dll, apc):
arg = KERNEL32.VirtualAllocEx(self.h_process,
None,
len(dll) + 1,
MEM_RESERVE | MEM_COMMIT,
PAGE_READWRITE)
if not arg:
log.error("VirtualAllocEx failed when injecting process with "
"pid %d, injection aborted (Error: %s)",
self.pid, get_error_string(KERNEL32.GetLastError()))
return False
bytes_written = c_int(0)
if not KERNEL32.WriteProcessMemory(self.h_process,
arg,
dll + "\x00",
len(dll) + 1,
byref(bytes_written)):
log.error("WriteProcessMemory failed when injecting process with "
"pid %d, injection aborted (Error: %s)",
self.pid, get_error_string(KERNEL32.GetLastError()))
return False
kernel32_handle = KERNEL32.GetModuleHandleA("kernel32.dll")
load_library = KERNEL32.GetProcAddress(kernel32_handle, "LoadLibraryA")
if apc or self.suspended:
if not self.h_thread:
log.info("No valid thread handle specified for injecting "
"process with pid %d, injection aborted.", self.pid)
return False
if not KERNEL32.QueueUserAPC(load_library, self.h_thread, arg):
log.error("QueueUserAPC failed when injecting process with "
"pid %d (Error: %s)",
self.pid, get_error_string(KERNEL32.GetLastError()))
return False
else:
new_thread_id = c_ulong(0)
thread_handle = KERNEL32.CreateRemoteThread(self.h_process,
None,
0,
load_library,
arg,
0,
byref(new_thread_id))
if not thread_handle:
log.error("CreateRemoteThread failed when injecting process "
"with pid %d (Error: %s)",
self.pid, get_error_string(KERNEL32.GetLastError()))
return False
else:
KERNEL32.CloseHandle(thread_handle)
return True
def check_inject(self):
if not self.pid:
return False
if self.thread_id or self.suspended:
if (self.pid, self.thread_id) in ATTEMPTED_APC_INJECTS:
return False
ATTEMPTED_APC_INJECTS[(self.pid, self.thread_id)] = True
else:
if self.pid in ATTEMPTED_THREAD_INJECTS:
return False
ATTEMPTED_THREAD_INJECTS[self.pid] = True
return True
def inject(self, dll=None, interest=None, nosleepskip=False):
"""Cuckoo DLL injection.
@param dll: Cuckoo DLL path.
@param interest: path to file of interest, handed to cuckoomon config
@param apc: APC use.
"""
global LOGSERVER_POOL
if not self.pid:
return False
thread_id = 0
if self.thread_id:
thread_id = self.thread_id
if not self.is_alive():
log.warning("The process with pid %s is not alive, "
"injection aborted", self.pid)
return False
is_64bit = self.is_64bit()
if not dll:
if is_64bit:
dll = CUCKOOMON64_NAME
else:
dll = CUCKOOMON32_NAME
elif dll == "cawsmon":
if is_64bit:
dll = CAWSMON64_NAME
else:
dll = CAWSMON32_NAME
else:
os.path.join("dll", dll)
dll = os.path.join(os.getcwd(), dll)
if not dll or not os.path.exists(dll):
log.warning("No valid DLL specified to be injected in process "
"with pid %d, injection aborted.", self.pid)
return False
if thread_id or self.suspended:
log.debug("Using QueueUserAPC injection.")
else:
log.debug("Using CreateRemoteThread injection.")
config_path = "C:\\%s.ini" % self.pid
with open(config_path, "w") as config:
cfg = Config("analysis.conf")
cfgoptions = cfg.get_options()
# start the logserver for this monitored process
logserver_path = LOGSERVER_PREFIX + str(self.pid)
if logserver_path not in LOGSERVER_POOL:
LOGSERVER_POOL[logserver_path] = LogServer(cfg.ip, cfg.port, logserver_path)
Process.process_num += 1
firstproc = Process.process_num == 1
config.write("host-ip={0}\n".format(cfg.ip))
config.write("host-port={0}\n".format(cfg.port))
config.write("pipe={0}\n".format(PIPE))
config.write("logserver={0}\n".format(logserver_path))
config.write("results={0}\n".format(PATHS["root"]))
config.write("analyzer={0}\n".format(os.getcwd()))
config.write("first-process={0}\n".format("1" if firstproc else "0"))
config.write("startup-time={0}\n".format(Process.startup_time))
config.write("file-of-interest={0}\n".format(interest))
config.write("shutdown-mutex={0}\n".format(SHUTDOWN_MUTEX))
config.write("terminate-event={0}{1}\n".format(TERMINATE_EVENT, self.pid))
if nosleepskip or ("force-sleepskip" not in cfgoptions and len(interest) > 2 and interest[1] != ':' and interest[0] != '\\' and Process.process_num <= 2):
config.write("force-sleepskip=0\n")
if "norefer" not in cfgoptions and "referrer" not in cfgoptions:
config.write("referrer={0}\n".format(get_referrer_url(interest)))
simple_optnames = [
"force-sleepskip",
"full-logs",
"force-flush",
"no-stealth",
"buffer-max",
"large-buffer-max",
"serial",
"sysvol_ctimelow",
"sysvol_ctimehigh",
"sys32_ctimelow",
"sys32_ctimehigh",
"debug",
"disable_hook_content",
"hook-type",
"exclude-apis",
"exclude-dlls",
"referrer",
]
for optname in simple_optnames:
if optname in cfgoptions:
config.write("{0}={1}\n".format(optname, cfgoptions[optname]))
orig_bin_name = ""
bit_str = ""
if is_64bit:
orig_bin_name = LOADER64_NAME
bit_str = "64-bit"
else:
orig_bin_name = LOADER32_NAME
bit_str = "32-bit"
bin_name = os.path.join(os.getcwd(), orig_bin_name)
if os.path.exists(bin_name):
ret = subprocess.call([bin_name, "inject", str(self.pid), str(thread_id), dll])
if ret != 0:
if ret == 1:
log.info("Injected into suspended %s process with pid %d", bit_str, self.pid)
else:
log.error("Unable to inject into %s process with pid %d, error: %d", bit_str, self.pid, ret)
return False
else:
return True
else:
log.error("Please place the %s binary from cuckoomon into analyzer/windows/bin in order to analyze %s binaries.", os.path.basename(bin_name), bit_str)
return False
def dump_memory(self):
"""Dump process memory.
@return: operation status.
"""
if not self.pid:
log.warning("No valid pid specified, memory dump aborted")
return False
if not self.is_alive():
log.warning("The process with pid %d is not alive, memory "
"dump aborted", self.pid)
return False
bin_name = ""
bit_str = ""
file_path = os.path.join(PATHS["memory"], "{0}.dmp".format(self.pid))
if self.is_64bit():
orig_bin_name = LOADER64_NAME
bit_str = "64-bit"
else:
orig_bin_name = LOADER32_NAME
bit_str = "32-bit"
bin_name = os.path.join(os.getcwd(), orig_bin_name)
if os.path.exists(bin_name):
ret = subprocess.call([bin_name, "dump", str(self.pid), file_path])
if ret == 1:
log.info("Dumped %s process with pid %d", bit_str, self.pid)
else:
log.error("Unable to dump %s process with pid %d, error: %d", bit_str, self.pid, ret)
return False
else:
log.error("Please place the %s binary from cuckoomon into analyzer/windows/bin in order to analyze %s binaries.", os.path.basename(bin_name), bit_str)
return False
nf = NetlogFile(os.path.join("memory", "{0}.dmp".format(self.pid)))
infd = open(file_path, "rb")
buf = infd.read(1024*1024)
try:
while buf:
nf.send(buf, retry=True)
buf = infd.read(1024*1024)
except:
infd.close()
nf.close()
log.warning("Memory dump of process with pid %d failed", self.pid)
return False
infd.close()
nf.close()
log.info("Memory dump of process with pid %d completed", self.pid)
return True
visuaMZ
L!This program cannot be run in DOS mode.
`.rsrc
@.reloc
C+Cdu^
[p/KZ dFBmI
} Ysy
st
c st
@st
c @st
l#333333?[k
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADPHjbb
Color Picker
Custom
System
Alignment Picker
Bottom Center
Bottom Left
Bottom Right
Middle Center
Middle Left
Middle Right
Top Center
Top Left
Top Right
'The assembly '{0}' could not be loaded.
uThe toolbox item could not be retrieved from the toolbox. Try removing the item from the toolbox and adding it back.
The toolbox item could not be retrieved from the toolbox. Make sure the assembly that contains the toolbox item is correctly installed. The toolbox item raised the following error: {0}
Bitmap files
Icon files
All image files
Metafiles
v2.0.50727
#Strings
<Module>
System.Drawing.Design.dll
SRDescriptionAttribute
System.Drawing.Design
SRCategoryAttribute
ExternDll
System
ImageEditor
BitmapEditor
ColorEditor
ColorPalette
ColorPaletteAccessibleObject
ColorCellAccessibleObject
ColorUI
ColorEditorListBox
ColorEditorTabControl
CustomColorDialog
SystemColorComparer
StandardColorComparer
ContentAlignmentEditor
ContentUI
CursorEditor
CursorUI
DesignerToolboxInfo
FontEditor
FontNameEditor
IconEditor
MetafileEditor
NativeMethods
ToolboxService
DomainProxyObject
FilterSupport
ToolboxItemCreator
ToolboxItemContainer
BrokenToolboxItem
ToolboxItemSerializer
ToolboxSerializationBinder
UnsafeNativeMethods
System.ComponentModel
DescriptionAttribute
CategoryAttribute
mscorlib
Object
System.Drawing
UITypeEditor
System.Windows.Forms
Control
ControlAccessibleObject
AccessibleObject
ListBox
TabControl
ColorDialog
System.Collections
IComparer
IDisposable
IToolboxService
System.ComponentModel.Design
IComponentDiscoveryService
MarshalByRefObject
System.Runtime.Serialization
ISerializable
ToolboxItem
SerializationBinder
replaced
get_Description
Description
GetLocalizedString
imageFileDescription
ColorEditorSystemTab
ColorEditorStandardTab
bitmapFileDescription
ColorEditorPaletteTab
iconFileDescription
metafileFileDescription
ContentAlignmentEditorAccName
ContentAlignmentEditorTopLeftAccName
ContentAlignmentEditorTopCenterAccName
ContentAlignmentEditorTopRightAccName
ContentAlignmentEditorMiddleLeftAccName
ContentAlignmentEditorMiddleCenterAccName
ContentAlignmentEditorMiddleRightAccName
ContentAlignmentEditorBottomLeftAccName
ContentAlignmentEditorBottomCenterAccName
ContentAlignmentEditorBottomRightAccName
ColorEditorAccName
ToolboxServiceBadToolboxItem
ToolboxServiceBadToolboxItemWithException
ToolboxServiceAssemblyNotFound
loader
System.Resources
ResourceManager
resources
s_InternalSyncObject
get_InternalSyncObject
GetLoader
System.Globalization
CultureInfo
get_Culture
get_Resources
GetString
GetObject
InternalSyncObject
Culture
Resources
Activeds
Advapi32
Comctl32
Comdlg32
Gdiplus
Hhctrl
Kernel32
Loadperf
Mscoree
Mscorwks
Oleacc
Oleaut32
Olepro32
PerfCounter
Powrprof
Shell32
Shfolder
User32
Uxtheme
Winspool
Wtsapi32
Version
Vsassert
Shlwapi
Crypt32
Odbc32
OciDll
OraMtsDll
imageExtenders
FileDialog
fileDialog
GetImageExtenders
CreateExtensionsString
CreateFilterEntry
ITypeDescriptorContext
IServiceProvider
EditValue
UITypeEditorEditStyle
GetEditStyle
GetFileDialogDescription
GetExtensions
GetPaintValueSupported
System.IO
Stream
LoadFromStream
PaintValueEventArgs
PaintValue
colorUI
CELLS_ACROSS
CELLS_DOWN
CELLS_CUSTOM
CELL_SIZE
MARGIN
staticCells
staticColors
selectedColor
customColors
EventHandler
onPicked
get_CustomColors
get_FocusedCell
get_SelectedColor
set_SelectedColor
add_Picked
remove_Picked
CreateAccessibilityInstance
EventArgs
OnPicked
Rectangle
FillRectWithCellBounds
GetCellFromColor
GetColorFromCell
GetCell2DFromLocationMouse
GetCellFromLocationMouse
Get1DFrom2D
Get2DFrom1D
InvalidateSelection
InvalidateFocus
IsInputKey
LaunchDialog
OnGotFocus
KeyEventArgs
OnKeyDown
OnLostFocus
MouseEventArgs
OnMouseDown
OnMouseMove
OnMouseUp
PaintEventArgs
OnPaint
Graphics
ProcessDialogKey
SetFocus
CustomColors
FocusedCell
SelectedColor
Picked
get_ColorPalette
GetChildCount
GetChild
HitTest
parent
get_Bounds
get_Name
get_Parent
AccessibleRole
get_Role
AccessibleStates
get_State
get_Value
Bounds
Parent
editor
System.Windows.Forms.Design
IWindowsFormsEditorService
tabControl
TabPage
systemTabPage
commonTabPage
paletteTabPage
lbSystem
lbCommon
systemColorConstants
colorConstants
commonHeightSet
systemHeightSet
get_ColorValues
set_CustomColors
get_EditorService
get_SystemColorValues
AdjustColorUIHeight
AdjustListBoxItemHeight
GetBestColor
GetConstants
InitializeComponent
OnFontChanged
OnListClick
DrawItemEventArgs
OnListDrawItem
OnListKeyDown
OnPalettePick
OnTabControlResize
OnTabControlSelChange
ColorValues
EditorService
SystemColorValues
COLOR_HUE
COLOR_SAT
COLOR_LUM
COLOR_RED
COLOR_GREEN
COLOR_BLUE
COLOR_ADD
COLOR_MIX
hInstance
get_Instance
get_Options
Dispose
HookProc
Instance
Options
Compare
contentUI
RadioButton
topLeft
topCenter
topRight
middleLeft
middleCenter
middleRight
bottomLeft
bottomCenter
bottomRight
ContentAlignment
get_Align
set_Align
get_ShowFocusCues
InitComponent
OptionClick
get_CheckedControl
set_CheckedControl
ShowFocusCues
CheckedControl
cursorUI
get_IsDropDownResizable
IsDropDownResizable
TypeConverter
cursorConverter
OnClick
OnDrawItem
_toolboxService
IDesignerHost
ISelectionService
_selectionService
ArrayList
_filter
IDesigner
_filterDesigner
IToolboxUser
_toolboxUser
Hashtable
_attributeHash
get_DesignerHost
ICollection
get_Filter
get_ToolboxUser
RefreshEventArgs
OnTypeDescriptorRefresh
AttributeCollection
GetDesignerAttributes
RecurseDesignerTree
OnDesignerDisposed
OnSelectionChanged
Update
System.IDisposable.Dispose
DesignerHost
Filter
ToolboxUser
FontDialog
fontDialog
FontFamily
FontStyle
DrawFontSample
EM_GETSEL
EM_SETSEL
EM_GETRECT
EM_SETRECT
EM_SETRECTNP
EM_SCROLL
EM_LINESCROLL
EM_SCROLLCARET
EM_GETMODIFY
EM_SETMODIFY
EM_GETLINECOUNT
EM_LINEINDEX
EM_SETHANDLE
EM_GETHANDLE
EM_GETTHUMB
EM_LINELENGTH
EM_REPLACESEL
EM_GETLINE
EM_LIMITTEXT
EM_CANUNDO
EM_UNDO
EM_FMTLINES
EM_LINEFROMCHAR
EM_SETTABSTOPS
EM_SETPASSWORDCHAR
EM_EMPTYUNDOBUFFER
EM_GETFIRSTVISIBLELINE
EM_SETREADONLY
EM_SETWORDBREAKPROC
EM_GETWORDBREAKPROC
EM_GETPASSWORDCHAR
EM_SETMARGINS
EM_GETMARGINS
EM_SETLIMITTEXT
EM_GETLIMITTEXT
EM_POSFROMCHAR
EM_CHARFROMPOS
EC_LEFTMARGIN
EC_RIGHTMARGIN
EC_USEFONTINFO
IDCANCEL
IDABORT
IDRETRY
IDIGNORE
IDCLOSE
IDHELP
WM_INITDIALOG
SWP_NOSIZE
SWP_NOMOVE
SWP_NOZORDER
SWP_NOREDRAW
SWP_NOACTIVATE
SWP_FRAMECHANGED
SWP_SHOWWINDOW
SWP_HIDEWINDOW
SWP_NOCOPYBITS
SWP_NOOWNERZORDER
SWP_NOSENDCHANGING
SWP_DRAWFRAME
SWP_NOREPOSITION
SWP_DEFERERASE
SWP_ASYNCWINDOWPOS
WM_COMMAND
CC_FULLOPEN
CC_PREVENTFULLOPEN
CC_SHOWHELP
CC_ENABLEHOOK
CC_ENABLETEMPLATE
CC_ENABLETEMPLATEHANDLE
CC_SOLIDCOLOR
CC_ANYCOLOR
InvalidIntPtr
SendDlgItemMessage
GetDlgItem
EnableWindow
SetWindowPos
GetDlgItemInt
PostMessage
MAKELONG
MAKELPARAM
HIWORD
LOWORD
SignedHIWORD
SignedLOWORD
lstrlen
RegisterWindowMessage
IDesignerEventService
_designerEventService
_globalCreators
_designerCreators
_lastMergedHost
_lastMergedCreators
_lastState
_domainObject
AppDomain
_domain
System.Runtime.Remoting.Lifetime
ClientSponsor
_domainObjectSponsor
CategoryNameCollection
get_CategoryNames
get_SelectedCategory
set_SelectedCategory
get_SelectedItemContainer
set_SelectedItemContainer
CreateItemContainer
IDataObject
FilterChanged
GetCreatorCollection
GetFilterSupport
GetItemContainers
GetToolboxItem
System.Reflection
Assembly
GetToolboxItems
AssemblyName
IsItemContainer
IsItemContainerSupported
OnDesignerInfoChanged
Refresh
SelectedItemContainerUsed
SetCursor
UnloadToolboxItems
System.Drawing.Design.IToolboxService.get_CategoryNames
System.Drawing.Design.IToolboxService.get_SelectedCategory
System.Drawing.Design.IToolboxService.set_SelectedCategory
ToolboxItemCreatorCallback
System.Drawing.Design.IToolboxService.AddCreator
AddCreator
System.Drawing.Design.IToolboxService.AddLinkedToolboxItem
AddLinkedToolboxItem
System.Drawing.Design.IToolboxService.AddToolboxItem
AddToolboxItem
System.Drawing.Design.IToolboxService.DeserializeToolboxItem
DeserializeToolboxItem
System.Drawing.Design.IToolboxService.GetSelectedToolboxItem
GetSelectedToolboxItem
ToolboxItemCollection
System.Drawing.Design.IToolboxService.GetToolboxItems
System.Drawing.Design.IToolboxService.IsSupported
IsSupported
System.Drawing.Design.IToolboxService.IsToolboxItem
IsToolboxItem
System.Drawing.Design.IToolboxService.Refresh
System.Drawing.Design.IToolboxService.RemoveCreator
RemoveCreator
System.Drawing.Design.IToolboxService.RemoveToolboxItem
RemoveToolboxItem
System.Drawing.Design.IToolboxService.SelectedToolboxItemUsed
SelectedToolboxItemUsed
System.Drawing.Design.IToolboxService.SerializeToolboxItem
SerializeToolboxItem
System.Drawing.Design.IToolboxService.SetCursor
System.Drawing.Design.IToolboxService.SetSelectedToolboxItem
SetSelectedToolboxItem
System.ComponentModel.Design.IComponentDiscoveryService.GetComponentTypes
GetComponentTypes
CategoryNames
SelectedCategory
SelectedItemContainer
System.Drawing.Design.IToolboxService.CategoryNames
System.Drawing.Design.IToolboxService.SelectedCategory
value__
NotSupported
Supported
Custom
_callback
_format
Create
get_Format
Format
_localClipboardFormat
_itemClipboardFormat
_hashClipboardFormat
_serializationFormats
_serializationValues
_clipboardVersion
_hashCode
_toolboxItem
_dataObject
SerializationInfo
StreamingContext
get_IsCreated
get_IsTransient
get_ToolboxData
UpdateFilter
ContainsFormat
Equals
GetFilter
GetHashCode
GetObjectData
MergeFilter
System.Runtime.Serialization.ISerializable.GetObjectData
IsCreated
IsTransient
ToolboxData
_exceptionString
IComponent
CreateComponentsCore
_assemblyNameKey
_streamKey
System.Runtime.Serialization.Formatters.Binary
BinaryFormatter
_formatter
get_ToolboxItem
_assemblies
_namePart
BindToType
OBJID_CLIENT
System.Runtime.InteropServices
HandleRef
ClientToScreen
ScreenToClient
GetFocus
NotifyWinEvent
System.Runtime.CompilerServices
RuntimeCompatibilityAttribute
AssemblyKeyFileAttribute
AssemblyDelaySignAttribute
NeutralResourcesLanguageAttribute
SatelliteContractVersionAttribute
AssemblyInformationalVersionAttribute
AssemblyFileVersionAttribute
AssemblyVersionAttribute
AssemblyCopyrightAttribute
AssemblyProductAttribute
AssemblyCompanyAttribute
AssemblyDefaultAliasAttribute
AssemblyDescriptionAttribute
AssemblyTitleAttribute
CLSCompliantAttribute
ComVisibleAttribute
System.Diagnostics
DebuggableAttribute
DebuggingModes
CompilationRelaxationsAttribute
AttributeUsageAttribute
AttributeTargets
description
set_DescriptionValue
category
System.Threading
Interlocked
CompareExchange
GetType
get_Assembly
Monitor
ParamArrayAttribute
String
get_Length
Substring
Concat
get_CurrentCulture
IFormatProvider
System.Security.Permissions
SecurityPermissionAttribute
SecurityAction
extensions
context
provider
RuntimeTypeHandle
GetTypeFromHandle
GetService
OpenFileDialog
Activator
BindingFlags
Binder
CreateInstance
IsInstanceOfType
set_Filter
CommonDialog
DialogResult
ShowDialog
get_FileName
FileStream
FileMode
FileAccess
FileShare
IntPtr
op_Inequality
AddRange
ToArray
stream
MemoryStream
FromStream
get_Width
set_Width
get_Height
set_Height
get_Graphics
SystemPens
get_WindowFrame
DrawRectangle
DrawImage
.cctor
PermissionSetAttribute
Bitmap
DropDownControl
SolidBrush
FillRectangle
ControlStyles
SetStyle
SystemColors
get_Control
set_BackColor
set_Size
ColorTranslator
FromOle
Delegate
Combine
Remove
Invoke
across
Inflate
Invalidate
get_Handle
keyData
customIndex
CloseDropDown
get_Color
Component
get_KeyCode
MouseButtons
get_Button
Contains
get_BackColor
get_ClientRectangle
get_ControlText
ControlPaint
ButtonBorderStyle
DrawBorder
get_Focused
DrawFocusRectangle
newFocus
<PrivateImplementationDetails>{89757899-423F-490E-B04A-72754CC2C429}
CompilerGeneratedAttribute
ValueType
__StaticArrayInitTypeSize=192
$$method0x600011b-1
RuntimeHelpers
RuntimeFieldHandle
InitializeArray
get_Owner
ToString
get_White
get_Size
GetTabRect
get_Font
set_ItemHeight
ToArgb
enumType
PropertyInfo
GetProperties
get_PropertyType
MethodInfo
GetGetMethod
MethodBase
MethodAttributes
get_Attributes
GetValue
set_AccessibleName
TabPageCollection
get_TabPages
set_TabStop
set_SelectedTab
add_SelectedIndexChanged
DockStyle
set_Dock
add_Resize
DrawMode
set_DrawMode
BorderStyle
set_BorderStyle
set_IntegralHeight
set_Sorted
add_Click
DrawItemEventHandler
add_DrawItem
KeyEventHandler
add_KeyDown
add_FontChanged
ObjectCollection
get_Items
ControlCollection
get_Controls
sender
get_SelectedItem
get_Index
get_Item
DrawBackground
get_WindowText
get_ForeColor
DrawString
SetBounds
set_Bounds
set_Location
get_SelectedTab
System.Windows.Forms.Layout
ArrangedElementCollection
get_Count
get_SelectedIndex
set_SelectedItem
ListControl
Module
get_Module
GetManifestResourceStream
get_Position
Marshal
AllocHGlobal
disposing
FreeHGlobal
wParam
lParam
op_Explicit
set_Color
Boolean
FromArgb
get_InvariantCulture
GetHue
GetSaturation
GetBrightness
get_Checked
set_Checked
set_ForeColor
set_TabIndex
set_Text
Appearance
set_Appearance
AnchorStyles
set_Anchor
get_TabIndex
get_IsHandleCreated
Cursors
Cursor
get_Default
TypeDescriptor
GetConverter
GetStandardValuesSupported
GetStandardValues
IEnumerable
IEnumerator
GetEnumerator
get_Current
MoveNext
ConvertToString
SystemBrushes
DrawStretched
set_SelectedIndex
toolboxService
add_SelectionChanged
get_RootComponent
add_Disposed
RefreshEventHandler
add_Refreshed
get_ComponentChanged
designer
ArgumentNullException
ITreeDesigner
GetDesigner
get_Values
Attribute
CopyTo
GetAttributes
get_TypeId
set_Item
IServiceContainer
RemoveService
get_PrimarySelection
ToolboxItemFilterAttribute
ToolboxItemFilterType
get_FilterType
remove_SelectionChanged
remove_Disposed
remove_Refreshed
set_ShowApply
set_ShowColor
set_AllowVerticalFonts
set_Font
op_Equality
get_ActiveCaption
get_Right
get_Bottom
DrawLine
fontFamily
fontStyle
GraphicsUnit
get_ActiveCaptionText
RectangleF
op_Implicit
DrawIcon
System.Drawing.Imaging
Metafile
DllImportAttribute
user32.dll
nIDDlgItem
enable
hWndInsertAfter
signed
wparam
lparam
kernel32.dll
StructLayoutAttribute
LayoutKind
dataObject
itemFilter
targetFilter
get_FilterString
categoryName
toolType
nonPublic
get_IsPublic
get_IsNestedPublic
IsAssignableFrom
get_IsAbstract
ToolboxItemAttribute
IsDefaultAttribute
get_ToolboxItemType
ConstructorInfo
GetConstructor
Initialize
get_ContainsGenericParameters
newCodeBase
throwOnError
get_GlobalAssemblyCache
GetName
set_CodeBase
GetTypes
IContainer
set_AssemblyName
CreateDomain
get_FullName
CreateInstanceAndUnwrap
TimeSpan
Register
Deserialize
GetDataPresent
container
AddService
GetToolSupported
get_ActiveDesigner
get_Cross
set_Current
Unload
creator
format
toolboxItem
serializedObject
DataObject
filterAttributes
RemoveAt
designerHost
baseType
ReadOnlyCollectionBase
get_CodeBase
get_LocalPath
LoadFrom
ArgumentException
ReflectionTypeLoadException
Exception
get_LoaderExceptions
get_Message
Serialize
GetBuffer
FileNotFoundException
BadImageFormatException
IOException
callback
SerializableAttribute
SetData
get_DisplayName
get_AssemblyName
get_TypeName
BinaryWriter
creators
GetData
BinaryReader
ReadInt16
ReadString
GetFormats
AddValue
exceptionString
InvalidOperationException
get_Binder
set_Binder
assemblyName
typeName
StartsWith
Exists
System.Security
SuppressUnmanagedCodeSecurityAttribute
InAttribute
OutAttribute
winEvent
objType
System.Drawing.Design.SR.resources
System.Drawing.Design.colordlg.data
IJruL)
(]b,e,
=t]o-~^
System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Security.Permissions.SecurityPermissionFlag, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Security.Permissions.PermissionSetAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
FullTrust
System.Security.Permissions.PermissionSetAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
FullTrust
System.Security.Permissions.PermissionSetAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
FullTrust
System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Security.Permissions.SecurityPermissionFlag, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
WrapNonExceptionThrows
*f:\RedBits\Tools\devdiv\FinalPublicKey.snk
2.0.0.0
2.0.50727.1433
Microsoft Corporation. All rights reserved.
Microsoft
.NET Framework
Microsoft Corporation
System.Drawing.Design.dll
RSDS7=
`BKkfz
System.Drawing.Design.pdb
_CorDllMain
mscoree.dll
visuaMZ
L!This program cannot be run in DOS mode.
BBB^BhB^BgBC
B[BDB_BRichB
`.data
@.reloc
TypeLib
Software
SYSTEM
SECURITY
Hardware
Interface
FileType
Component Categories
PDelete
NoRemove
ForceRemove
P P- P1P2Pb3PE4PW4P4P>!P92P P
!PHKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
FUnRegisterTypeLib
oleaut32.dll
vsansi.dll
Yvsansi.dll
SOFTWARE\Microsoft\VSAnsi
JFPNFP,
\\cpvsbuild\drops\ofc10.0\raw\9122\vsbuilt\retail\bin\i386\vspkgs\cmddef.pdb
SVWeue
WgP_D$
;5hPr3^
s(W3;t
V $9>u5hP
;5hPr_^[UQQS]
hPhgPt$
Vq(;]ti
9 u-MEhP]_9 u
h|hPEE[
3;t/'F
P;unVPP
;tGWtB5
tF;t.P
SVWe3uQ
AAf:'u
AABBf!
PYYu'35(
^3[V3N
_^Ujhp
SVWe3uQ
_^[US39]
;tSSWVju
UQQS39]
SSWVju
;|C{uq9]
3@3U,E
7@PQEP
UQS39]
;tSSWVju
u3@e_^[
UQQS39
VW]tl9C
PPSVjWPP
|3e_^[
u PP6W
P?{u:W
uL9]tGh
PSVSSSWu
9]tLuM
t= PP3u
SVW3P}u;
WSjPVVf3
PEPVVS
39u~7M
G;}|3E
V348hPt$
<0|#<9~
UQ3PPPPPPPMQPPPu
?=u/W-|'
33Mu;uPW=
P;u6EPVVVEPPVuE
P_MF^[
UQS39]
SSu Wju
SSWVju
;tSSWVju
UQS39]
SSu Wju
SSWVju
;tSSWVju
SEPVWu
UQQS39]
;tSSWVju
MVe_^[
Vjt$ Pt$0
t%Vf6f\t
SVQPNu
bulEPh4
P|Q93WtI}
u3_M^[
VWEPEPu
PQ0?hD
VEPEPSu
(|jWuPt,=gPPS+u
sH7;t59E
sH7t4}
s(W3tF
s(W3tF
gPPPPEPP{
VVPEPP\
PPVVP@
P<j2$Pu
PUQQSVW39]
}tg9 t
UQQSVW39}
YYj\u$
;YYtsh
;t&E;t U
ZYQRhgPL$
t)3I;M
4 QPBu3_^[]
Pu^EPPEPSh
P^[Ul$
E@E|EPMT33}8}\EH$
M`MdMhu EHE|E|Pj
E,0E|+E0ul
M\u#EPE
@lhPEXuWtSuT3I
P3fu0=lhP
EHPYEx
thP3;t
EluQuT
PEhphP;t
Elu EHE|E|Pj
P;Elt'39{
P3thP;
u<M@9H
u4;p4u/u0bu8Y
ExYu\V
PEhphP;t
Ex9}xu
EHExExPj
PEdExExM|
M`MxMdMHQj
Ex_^[p
xhPY?u<hPt3
u7WPSt
u&WVSu
PhhPhhPt$
SVWeEh
_^[Ujh
SVWeEp
|hPth(HPZY
h2HPDY
hP#|hPyhP
lstrlenW
GetModuleFileNameW
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
DisableThreadLibraryCalls
InterlockedIncrement
InterlockedDecrement
MultiByteToWideChar
lstrlenA
GetShortPathNameA
GetModuleHandleA
GetModuleFileNameA
WideCharToMultiByte
FreeLibrary
SizeofResource
LoadResource
FindResourceA
LoadLibraryExA
GetLastError
lstrcmpiA
lstrcpynA
IsDBCSLeadByte
CloseHandle
ReadFile
GetFileSize
CreateFileA
lstrcpyA
lstrcatA
GetProcAddress
LoadLibraryA
LocalAlloc
InterlockedExchange
GetVersionExA
RaiseException
KERNEL32.dll
CharNextA
USER32.dll
RegDeleteKeyA
RegCreateKeyExA
RegDeleteValueA
RegCloseKey
RegOpenKeyExA
RegSetValueExA
RegQueryInfoKeyA
RegEnumKeyExA
RegQueryValueExA
ADVAPI32.dll
CoCreateInstance
CoTaskMemFree
CoTaskMemAlloc
CoTaskMemRealloc
StringFromGUID2
ole32.dll
OLEAUT32.dll
??3@YAXPAX@Z
_except_handler3
realloc
??2@YAPAXI@Z
wcscat
_wmakepath
_wsplitpath
swprintf
wcschr
wcslen
_initterm
malloc
_adjust_fdiv
MSVCR70.dll
__dllonexit
_onexit
memset
cmddef.dll
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
VSDllRegisterServer
VSDllUnregisterServer
P=L9o<
hfP`PPXfP`PPHfP`PP8fP`PP(fP`PP
fP`PPeP`PPeP`PPeP`PPeP`PPeP`PPeP`PPeP`PPeP`PPlePxPPTePxPPDePxPP4ePPP(ePPP
ePPPdPPPdPPPdPPPdPPPdPPPdPPPdPPPdPPPxdPPPldPPPTdPPP@dPPP,dPPP
dPPPcPPPcPPPcPPPcPPPcPPPcPPP|cPPPlcPPP`cPPPTcPPPDcPPP8cPPP$cPPP
cPPPbPPPbPPPbPPPbPPPbPPPbPPPbPPPtbPPPTbPPPDbPPP4bPPP$bPPP
bPPPaPPPaPPPaPPPaPPPaPPPaPPPaPPPpaPPPXaPPPDaPPP,aPPP
aPPP`PPP`PPP`PPP`PPP`PPP`PPPt`PPP``PPPL`PPP8`PPP(`PPP
`PPP_PPP_PPP_PPP_PPP_PPP_PPP_PPP|_PPPp_PPPd_PPPX_PPPL_PPP@_PPP4_PPP(_PPP
_PPP^PPP^PPP^PPP^PPP^PPP^PPP^PPPd^PPPP^PPP<^PPP,^PPP
^PPP]PPP]PPP]PPP]PPP]PPP]PPP]PPPx]PPPh]PPPX]PPPL]PPP@]PPP4]PPP(]PPP
]PPP\PPP\PPP\PPP\PPP\PPP\PPPp\PPP`\PPPT\PPPD\PPP0\PPP \PPP
\PPP[PPP[PPP[PPP[PPP[PPP[PPP[PPP[PPP[PPPp[PPPd[PPPX[PPP@[PPP0[PPP
[PPPZPPPZPPPZPPPZPPPZPPPZPPPZPPPZPPPZPPPtZPPP`ZPPPTZPPPHZPPP8ZPPP,ZPPP
ZPPPYPPPYPPPYPPPYPPPYPPPYPPPtYPPPhYPPPTYPPPDYPPP0YPPP YPPP
YPPPXPPPXPPPXPPPXPPPXPPPXPPPXPPP|XPPPhXPPP\XPPPPXPPPDXPPP8XPPP XP
OpenPrinterW
DocumentPropertiesW
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
wsprintfW
wvsprintfW
WinHelpW
VkKeyScanW
UnregisterClassW
TranslateAcceleratorW
TabbedTextOutW
SystemParametersInfoW
SetWindowTextW
SetWindowsHookExW
SetWindowLongW
SetPropW
SetMenuItemInfoW
SetDlgItemTextW
SetClassLongW
SendNotifyMessageW
SendMessageW
SendDlgItemMessageW
RemovePropW
RegisterWindowMessageW
RegisterClipboardFormatW
RegisterClassExW
RegisterClassW
PostThreadMessageW
PostMessageW
PeekMessageW
OemToCharW
ModifyMenuW
MessageBoxIndirectW
MessageBoxW
MapVirtualKeyW
LoadStringW
LoadMenuW
LoadMenuIndirectW
LoadImageW
LoadIconW
LoadCursorW
LoadBitmapW
LoadAcceleratorsW
IsDialogMessageW
IsCharAlphaW
IsCharAlphaNumericW
InsertMenuW
GrayStringW
GetWindowTextW
GetWindowTextLengthW
GetWindowLongW
GetTabbedTextExtentW
GetPropW
GetMessageW
GetDlgItemTextW
GetClassNameW
GetClassLongW
GetClassInfoExW
GetClassInfoW
FindWindowW
DrawTextW
DrawTextExW
DispatchMessageW
DialogBoxParamW
DialogBoxIndirectParamW
DefWindowProcW
DefMDIChildProcW
DefFrameProcW
DefDlgProcW
DdeInitializeW
DdeCreateStringHandleW
CreateWindowExW
CreateMDIWindowW
CreateDialogParamW
CreateDialogIndirectParamW
CreateAcceleratorTableW
CopyAcceleratorTableW
CharUpperW
CharUpperBuffW
CharToOemW
CharPrevW
CharNextW
CharLowerW
CharLowerBuffW
CallWindowProcW
AppendMenuW
SHGetPathFromIDListW
SHGetFileInfoW
ShellExecuteExW
Shell_NotifyIconW
SHBrowseForFolderW
FindExecutableW
ExtractIconExW
ExtractIconW
ExtractAssociatedIconW
DragQueryFileW
StgCreateDocfile
WNetGetConnectionW
WritePrivateProfileStringW
VerLanguageNameW
SetLocaleInfoW
SetFileAttributesW
SetEnvironmentVariableW
SetCurrentDirectoryW
SearchPathW
RemoveDirectoryW
OutputDebugStringW
MoveFileW
MoveFileExW
lstrlenW
lstrcpyW
lstrcpynW
lstrcmpW
lstrcmpiW
lstrcatW
LoadLibraryW
LoadLibraryExW
LCMapStringW
IsBadStringPtrW
GlobalGetAtomNameW
GlobalFindAtomW
GlobalAddAtomW
GetVolumeInformationW
GetVersionExW
GetTimeFormatW
GetTempPathW
GetTempFileNameW
GetSystemDirectoryW
GetStringTypeExW
GetShortPathNameW
GetProfileIntW
GetPrivateProfileStringW
GetPrivateProfileIntW
GetNumberFormatW
GetModuleHandleW
GetModuleFileNameW
GetLocaleInfoW
GetFullPathNameW
GetFileAttributesExW
GetFileAttributesW
GetEnvironmentStringsW
GetEnvironmentVariableW
GetDriveTypeW
GetDiskFreeSpaceExW
GetDateFormatW
GetCurrencyFormatW
GetCurrentDirectoryW
GetComputerNameW
FreeEnvironmentStringsW
FormatMessageW
FindResourceW
FindNextFileW
FindFirstFileW
FindFirstChangeNotificationW
FatalAppExitW
ExpandEnvironmentStringsW
DeleteFileW
CreateSemaphoreW
CreateProcessW
CreateMutexW
CreateFileW
CreateFileMappingW
CreateEventW
CreateDirectoryW
CreateDirectoryExW
CopyFileW
CompareStringW
StartDocW
ResetDCW
GetTextMetricsW
GetTextFaceW
GetTextExtentExPointW
GetTextExtentPointW
GetTextExtentPoint32W
GetOutlineTextMetricsW
GetObjectW
GetKerningPairsW
GetGlyphOutlineW
GetCharWidthW
GetCharWidthFloatW
GetCharABCWidthsW
GetCharABCWidthsFloatW
ExtTextOutW
CreateMetaFileW
CreateICW
CreateFontW
CreateFontIndirectW
CreateEnhMetaFileW
CreateDCW
CopyMetaFileW
PrintDlgW
GetSaveFileNameW
GetOpenFileNameW
GetFileTitleW
ChooseFontW
ChooseColorW
PropertySheetW
ImageList_LoadImageW
CreatePropertySheetPageW
RegSetValueW
RegSetValueExW
RegQueryValueW
RegQueryValueExW
RegQueryInfoKeyW
RegOpenKeyW
RegOpenKeyExW
RegEnumKeyExW
RegEnumValueW
RegEnumKeyW
RegDeleteValueW
RegDeleteKeyW
RegCreateKeyW
RegCreateKeyExW
GetUserNameW
winspool.drv
winmm.dll
version.dll
user32.dll
url.dll
shell32.dll
rpcrt4.dll
rasapi32.dll
opengl32.dll
oledlg.dll
ole32.dll
mswsock.dll
msvfw32.dll
mpr.dll
lz32.dll
kernel32.dll
imm32.dll
gdi32.dll
comdlg32.dll
comctl32.dll
avifil32.dll
avicap32.dll
advapi32.dll
%REGROOTBEGIN%
NoRemove Packages
ForceRemove %MENU_PKG_GUID% = s 'Commands definition Package'
{
val InprocServer32 = s '%MODULE%'
ForceRemove SatelliteDll
{
val DllName = s 'cmddefui.dll'
val Path = s '%MODULE_DIR%'
}
}
NoRemove Menus
ForceRemove val %MENU_PKG_GUID% = s '%MENU_RES%'
%REGROOTEND%
11111111@2D2H2L2P2T2X2\2222222222224383<3@3D3H3L3P3T3X3\3`3d3h3l3t3x384@4H4P4X4`4h4p4x444444444444445555555555555555(6,6064686<6@6D66666666666666666666
7777777
8Y8b8z8888A9]999D::::::::::
;q;;;;$<T<Z<_<l<<<<<
=H=Z=l==
><>A>d>
??????
"0J0g00000T1~1111
22n33333%444
5#5:555
616h6666
7D7Q7777
8(818>888888
<7<V<t<<<<===<>m>z>>7?Q??????????????
0"0:00*1r111
2O2y222#33333
6+6G6s6y6666
7>7S7[7a7
8*818V8u88
9%9C:R:\:f:}:;;:<d<<<<<<<<<&=<=s===0>P>o>>>>>
?!?R????????
0$0=0H0h00
1 161E1l1y111111*2>2T2a2h2s2z22
363I333333333333333
4"4(4I4[44440565<5E5J5O5t5z5555555555
6,636l666666F7v777777777
8 8)838
0 0$0(0,0004080<0@0D0H0L0`0h0p0x00000000000000000
1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|111111111111111111111111111111111
2 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2d2h2l2p2t2x2|222222222222222222222222222222222
3 3$3(3,3034383<3@3D3H3L3P3T3X3\3`3d3h3l3p3t3x3|333333333333333333333333333333333
4 4$4(4,4044484<4@4D4H4L4P4T4X4\4`4d4h4l4p4t4x4|444444444444444444444444444444444
5 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|555555555555555555555555555555555
6 6$6(6,6064686<6@6D6H6L6P6T6X6\6`6d6h6l6p6t6x6|666666666666666666666666666666666
7 7$7(7,7074787<7@7D7H7L7P7T7X7\7`7d7h7l7p7t7x7|777777777777777777777
TNPPOA
kmsOAMSOFFICE9.0
0*0*0*
`T`T`T`T0*
visua18:35:41 - Startup
18:35:42 - Bound UDP socket waiting for commands, error: 0
18:35:42 - Nothing received yet
18:35:43 - Nothing received yet
18:35:44 - Nothing received yet
18:35:45 - Nothing received yet
18:35:46 - Nothing received yet
18:35:47 - Nothing received yet
18:35:48 - Nothing received yet
18:35:49 - Nothing received yet
18:35:51 - Nothing received yet
18:35:52 - Nothing received yet
18:35:53 - Nothing received yet
18:35:54 - Nothing received yet
visuaMZ
L!This program cannot be run in DOS mode.
`.rsrc
@.reloc
'}JQ|g
Y+\\-%
Gh7<D*pPw9
Wq?pL h7
hQ1EyT
f:\VS70Builds\5077\vsbuilt\retail\bin\i386\msosec.pdb
v1.1.4324
#Strings
<Module>
msosec.dll
mscorlib
System
Object
AssemblyRef
System.Security.Policy
IMembershipCondition
System.Security
ISecurityEncodable
ISecurityPolicyEncodable
OfficeDocumentMembershipCondition
Microsoft.Office.Security.Policy
OfficeDocument
VsAssemblyVer
NdpAssemblyVer
MicrosoftVisualBasicVsa
MicrosoftJScript
MicrosoftVisualBasicVsaDt
Evidence
System.Security.Policy.IMembershipCondition.Check
System.Security.Policy.IMembershipCondition.Copy
System.Security.Policy.IMembershipCondition.Equals
Equals
System.Security.Policy.IMembershipCondition.ToString
ToString
SecurityElement
System.Security.ISecurityEncodable.ToXml
System.Security.ISecurityEncodable.FromXml
FromXml
PolicyLevel
System.Security.ISecurityPolicyEncodable.ToXml
System.Security.ISecurityPolicyEncodable.FromXml
System.Reflection
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyDescriptionAttribute
AssemblyTitleAttribute
AssemblyCompanyAttribute
AssemblyKeyFileAttribute
AssemblyDelaySignAttribute
AssemblyFileVersionAttribute
AssemblyVersionAttribute
msosec
SerializableAttribute
rootEvidence
System.Collections
IEnumerator
GetHostEnumerator
get_Current
MoveNext
GetType
String
LastIndexOf
Substring
get_AssemblyQualifiedName
Escape
AddAttribute
ArgumentException
Attribute
op_Inequality
(]b,e,
=t]o-~^
#Visual Studio .NET Tools for Office
8Copyright
Microsoft Corporation. All rights reserved.
Custom membership condition
Microsoft Corporation
<f:\VS70Builds\5077\vs\src\common\security\FinalPublicKey.snk
7.10.5077.0
_CorDllMain
mscoree.dll
visuaL
PO :i
PROGRA~1
NetTime
^Gh^Gh
NetTime.exe
^Gh^Gh
C:\Program Files\NetTime\NetTime.exe
base-xp
TJu'x};
TJu'x};
yrkxeP:#
zgMB6)
{vlaWLB7-"
vr^J6"
'.49>ADFFE
D}A|=|8{2{,{%{
|zwuspnksz
}{xvtromt{
}{ywtrpnu}
}{yxvtrpw~
}{zxvusqx
~|{yxvusz
~|{zxwut{
~}|{yxwv}
~}|{zzyx~
visua[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-8964
L!This program cannot be run in DOS mode.
`.rdata
@.data
@.NewSec
RR G n
^UQQ=`W@
EPEPV@
UQ=`W@
ADiS3B+
QSUVWD$
u8-TR@
tQ3;tKxP@
_^][Y_^][Y
_^]3[Y
UQV5lR@
SVW3jD^V3ESGPE`
]X]P]D]\]H]T]@]LE0
t3SE0PEPPEXP
E<trEx
t3SE0PE\PEDP
Ex t3SE0PETPEHP
?"E|t#
]tE PEPutSu`uLSSu|S
u\9]Xt
uX9]Tt
uTu$Ex
9]<tEW@
j(hdW@
u\9]Dt
uD9]Pt
uP9]Xt
uX9]Tt
uT9]Ht
9]tu4W
t8;Yv%>\t
E|Y+Y\
Etj<^VESP
EEtEEpE
9]<t:W@
j(hdW@
u|S5V@
E@_^[d
=V5lW@
I9\tPP
.\u%\u
SVW339
YY?Vt$
VW=DR@
]UQtW@
EEPMQUR
Information
Couldn't open the file!
C:/exp/
[File]
[Sub-Dir]
o%}oooooEo%o
[}#}9}S}P}%[}}
}>}My}3}]}#C}8}k
}h}8});}
'}&}O=}
}@}$)}3}[}
D}U6}=}U=}p'}
memset
MSVCRT.dll
GetModuleHandleA
HeapCreate
HeapDestroy
ExitProcess
KERNEL32.dll
memcpy
_stricmp
strncmp
_strnicmp
strcmp
memmove
strlen
strcpy
strcat
strncpy
GetCurrentThreadId
GetTickCount
HeapAlloc
HeapFree
WriteFile
CloseHandle
CreateFileA
GetFileSize
ReadFile
SetFilePointer
InitializeCriticalSection
GetModuleFileNameA
GetCurrentProcess
DuplicateHandle
CreatePipe
GetStdHandle
CreateProcessA
WaitForSingleObject
EnterCriticalSection
LeaveCriticalSection
GetCurrentProcessId
GetDriveTypeA
FindFirstFileA
FindClose
GetFileAttributesA
CreateDirectoryA
GetLastError
FindNextFileA
SetFileAttributesA
HeapReAlloc
InitCommonControls
COMCTL32.DLL
MessageBoxA
GetWindowThreadProcessId
IsWindowVisible
IsWindowEnabled
GetForegroundWindow
EnableWindow
EnumWindows
USER32.DLL
ShellExecuteExA
SHELL32.DLL
CoInitialize
OLE32.DLL
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity
version="1.0.0.0"
processorArchitecture="X86"
name="CompanyName.ProductName.YourApp"
type="win32" />
<description></description>
<dependency>
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
processorArchitecture="X86"
publicKeyToken="6595b64144ccf1df"
language="*" />
</dependentAssembly>
</dependency>
</assembly>
11CK3R1Z@HR1Z@=
uR1ZS1[@H3CKAI@R1Z@H=
uAI3S1[CKR1Z@Q1YBJR1Z=
uQ1YQ1Y
R1ZAI0TS1[BJ0S1[(R1Z(
mAI0(CK0fR1Z
visuavisua
visua# Copyright (C) 2010-2015 Cuckoo Foundation, Optiv, Inc. (brad.spengler@optiv.com)
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
import os
import logging
import random
import subprocess
import platform
import urllib
import base64
from time import time
from ctypes import byref, c_ulong, create_string_buffer, c_int, sizeof
from shutil import copy
from lib.common.constants import PIPE, PATHS, SHUTDOWN_MUTEX, TERMINATE_EVENT, LOGSERVER_PREFIX
from lib.common.constants import CUCKOOMON32_NAME, CUCKOOMON64_NAME, LOADER32_NAME, LOADER64_NAME, CAWSMON32_NAME, CAWSMON64_NAME
from lib.common.defines import ULONG_PTR
from lib.common.defines import KERNEL32, NTDLL, SYSTEM_INFO, STILL_ACTIVE
from lib.common.defines import THREAD_ALL_ACCESS, PROCESS_ALL_ACCESS, TH32CS_SNAPPROCESS
from lib.common.defines import STARTUPINFO, PROCESS_INFORMATION, PROCESSENTRY32
from lib.common.defines import CREATE_NEW_CONSOLE, CREATE_SUSPENDED
from lib.common.defines import MEM_RESERVE, MEM_COMMIT, PAGE_READWRITE
from lib.common.defines import MEMORY_BASIC_INFORMATION
from lib.common.defines import WAIT_TIMEOUT, EVENT_MODIFY_STATE
from lib.common.defines import MEM_IMAGE, MEM_MAPPED, MEM_PRIVATE
from lib.common.defines import GENERIC_READ, GENERIC_WRITE, OPEN_EXISTING
from lib.common.errors import get_error_string
from lib.common.rand import random_string
from lib.common.results import NetlogFile
from lib.core.config import Config
from lib.core.log import LogServer
IOCTL_PID = 0x222008
IOCTL_CUCKOO_PATH = 0x22200C
PATH_KERNEL_DRIVER = "\\\\.\\DriverSSDT"
LOGSERVER_POOL = dict()
ATTEMPTED_APC_INJECTS = dict()
ATTEMPTED_THREAD_INJECTS = dict()
log = logging.getLogger(__name__)
def is_os_64bit():
return platform.machine().endswith('64')
def get_referrer_url(interest):
"""Get a Google referrer URL
@return: URL to be added to the analysis config
"""
if "://" not in interest:
return ""
escapedurl = urllib.quote(interest, '')
itemidx = str(random.randint(1, 30))
vedstr = "0CCEQfj" + base64.urlsafe_b64encode(random_string(random.randint(5, 8) * 3))
eistr = base64.urlsafe_b64encode(random_string(12))
usgstr = "AFQj" + base64.urlsafe_b64encode(random_string(12))
referrer = "http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd={0}&ved={1}&url={2}&ei={3}&usg={4}".format(itemidx, vedstr, escapedurl, eistr, usgstr)
return referrer
class Process:
"""Windows process."""
process_num = 0
# This adds 1 up to 30 times of 20 minutes to the startup
# time of the process, therefore bypassing anti-vm checks
# which check whether the VM has only been up for <10 minutes.
startup_time = random.randint(1, 30) * 20 * 60 * 1000
def __init__(self, pid=0, h_process=0, thread_id=0, h_thread=0, suspended=False):
"""@param pid: PID.
@param h_process: process handle.
@param thread_id: thread id.
@param h_thread: thread handle.
"""
self.pid = pid
self.h_process = h_process
self.thread_id = thread_id
self.h_thread = h_thread
self.suspended = suspended
self.system_info = SYSTEM_INFO()
self.critical = False
def __del__(self):
"""Close open handles."""
if self.h_process and self.h_process != KERNEL32.GetCurrentProcess():
KERNEL32.CloseHandle(self.h_process)
if self.h_thread:
KERNEL32.CloseHandle(self.h_thread)
def get_system_info(self):
"""Get system information."""
KERNEL32.GetSystemInfo(byref(self.system_info))
def open(self):
"""Open a process and/or thread.
@return: operation status.
"""
ret = bool(self.pid or self.thread_id)
if self.pid and not self.h_process:
if self.pid == os.getpid():
self.h_process = KERNEL32.GetCurrentProcess()
else:
self.h_process = KERNEL32.OpenProcess(PROCESS_ALL_ACCESS,
False,
self.pid)
ret = True
if self.thread_id and not self.h_thread:
self.h_thread = KERNEL32.OpenThread(THREAD_ALL_ACCESS,
False,
self.thread_id)
ret = True
return ret
def close(self):
"""Close any open handles.
@return: operation status.
"""
ret = bool(self.h_process or self.h_thread)
NT_SUCCESS = lambda val: val >= 0
if self.h_process:
ret = NT_SUCCESS(KERNEL32.CloseHandle(self.h_process))
self.h_process = None
if self.h_thread:
ret = NT_SUCCESS(KERNEL32.CloseHandle(self.h_thread))
self.h_thread = None
return ret
def exit_code(self):
"""Get process exit code.
@return: exit code value.
"""
if not self.h_process:
self.open()
exit_code = c_ulong(0)
KERNEL32.GetExitCodeProcess(self.h_process, byref(exit_code))
return exit_code.value
def get_filepath(self):
"""Get process image file path.
@return: decoded file path.
"""
if not self.h_process:
self.open()
NT_SUCCESS = lambda val: val >= 0
pbi = create_string_buffer(530)
size = c_int()
# Set return value to signed 32bit integer.
NTDLL.NtQueryInformationProcess.restype = c_int
ret = NTDLL.NtQueryInformationProcess(self.h_process,
27,
byref(pbi),
sizeof(pbi),
byref(size))
if NT_SUCCESS(ret) and size.value > 8:
try:
fbuf = pbi.raw[8:]
fbuf = fbuf[:fbuf.find('\0\0')+1]
return fbuf.decode('utf16', errors="ignore")
except:
return ""
return ""
def is_alive(self):
"""Process is alive?
@return: process status.
"""
return self.exit_code() == STILL_ACTIVE
def set_critical(self):
self.critical = True
def is_critical(self):
"""Determines if process is 'critical' or not, so we can prevent
terminating it
"""
if not self.h_process:
self.open()
if self.critical:
return True
NT_SUCCESS = lambda val: val >= 0
val = c_ulong(0)
retlen = c_ulong(0)
ret = NTDLL.NtQueryInformationProcess(self.h_process, 29, byref(val), sizeof(val), byref(retlen))
if NT_SUCCESS(ret) and val.value:
return True
return False
def get_parent_pid(self):
"""Get the Parent Process ID."""
if not self.h_process:
self.open()
NT_SUCCESS = lambda val: val >= 0
pbi = (ULONG_PTR * 6)()
size = c_ulong()
# Set return value to signed 32bit integer.
NTDLL.NtQueryInformationProcess.restype = c_int
ret = NTDLL.NtQueryInformationProcess(self.h_process,
0,
byref(pbi),
sizeof(pbi),
byref(size))
if NT_SUCCESS(ret) and size.value == sizeof(pbi):
return pbi[5]
return None
def kernel_analyze(self):
"""zer0m0n kernel analysis
"""
log.info("Starting kernel analysis")
log.info("Installing driver")
if is_os_64bit():
sys_file = os.path.join(os.getcwd(), "dll", "zer0m0n_x64.sys")
else:
sys_file = os.path.join(os.getcwd(), "dll", "zer0m0n.sys")
exe_file = os.path.join(os.getcwd(), "dll", "logs_dispatcher.exe")
if not sys_file or not exe_file or not os.path.exists(sys_file) or not os.path.exists(exe_file):
log.warning("No valid zer0m0n files to be used for process with pid %d, injection aborted", self.pid)
return False
exe_name = random_string(6)
service_name = random_string(6)
driver_name = random_string(6)
inf_data = '[Version]\r\nSignature = "$Windows NT$"\r\nClass = "ActivityMonitor"\r\nClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2}\r\nProvider= %Prov%\r\nDriverVer = 22/01/2014,1.0.0.0\r\nCatalogFile = %DriverName%.cat\r\n[DestinationDirs]\r\nDefaultDestDir = 12\r\nMiniFilter.DriverFiles = 12\r\n[DefaultInstall]\r\nOptionDesc = %ServiceDescription%\r\nCopyFiles = MiniFilter.DriverFiles\r\n[DefaultInstall.Services]\r\nAddService = %ServiceName%,,MiniFilter.Service\r\n[DefaultUninstall]\r\nDelFiles = MiniFilter.DriverFiles\r\n[DefaultUninstall.Services]\r\nDelService = %ServiceName%,0x200\r\n[MiniFilter.Service]\r\nDisplayName= %ServiceName%\r\nDescription= %ServiceDescription%\r\nServiceBinary= %12%\\%DriverName%.sys\r\nDependencies = "FltMgr"\r\nServiceType = 2\r\nStartType = 3\r\nErrorControl = 1\r\nLoadOrderGroup = "FSFilter Activity Monitor"\r\nAddReg = MiniFilter.AddRegistry\r\n[MiniFilter.AddRegistry]\r\nHKR,,"DebugFlags",0x00010001 ,0x0\r\nHKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance%\r\nHKR,"Instances\\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude%\r\nHKR,"Instances\\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags%\r\n[MiniFilter.DriverFiles]\r\n%DriverName%.sys\r\n[SourceDisksFiles]\r\n'+driver_name+'.sys = 1,,\r\n[SourceDisksNames]\r\n1 = %DiskId1%,,,\r\n[Strings]\r\n'+'Prov = "'+random_string(8)+'"\r\nServiceDescription = "'+random_string(12)+'"\r\nServiceName = "'+service_name+'"\r\nDriverName = "'+driver_name+'"\r\nDiskId1 = "'+service_name+' Device Installation Disk"\r\nDefaultInstance = "'+service_name+' Instance"\r\nInstance1.Name = "'+service_name+' Instance"\r\nInstance1.Altitude = "370050"\r\nInstance1.Flags = 0x0'
new_inf = os.path.join(os.getcwd(), "dll", "{0}.inf".format(service_name))
new_sys = os.path.join(os.getcwd(), "dll", "{0}.sys".format(driver_name))
copy(sys_file, new_sys)
new_exe = os.path.join(os.getcwd(), "dll", "{0}.exe".format(exe_name))
copy(exe_file, new_exe)
log.info("[-] Driver name : "+new_sys)
log.info("[-] Inf name : "+new_inf)
log.info("[-] Application name : "+new_exe)
log.info("[-] Service : "+service_name)
fh = open(new_inf,"w")
fh.write(inf_data)
fh.close()
os_is_64bit = is_os_64bit()
if os_is_64bit:
wow64 = c_ulong(0)
KERNEL32.Wow64DisableWow64FsRedirection(byref(wow64))
os.system('cmd /c "rundll32 setupapi.dll, InstallHinfSection DefaultInstall 132 '+new_inf+'"')
os.system("net start "+service_name)
si = STARTUPINFO()
si.cb = sizeof(si)
pi = PROCESS_INFORMATION()
cr = CREATE_NEW_CONSOLE
ldp = KERNEL32.CreateProcessA(new_exe, None, None, None, None, cr, None, os.getenv("TEMP"), byref(si), byref(pi))
if not ldp:
if os_is_64bit:
KERNEL32.Wow64RevertWow64FsRedirection(wow64)
log.error("Failed starting "+exe_name+".exe.")
return False
config_path = os.path.join(os.getenv("TEMP"), "%s.ini" % self.pid)
with open(config_path, "w") as config:
cfg = Config("analysis.conf")
config.write("host-ip={0}\n".format(cfg.ip))
config.write("host-port={0}\n".format(cfg.port))
config.write("pipe={0}\n".format(PIPE))
log.info("Sending startup information")
hFile = KERNEL32.CreateFileA(PATH_KERNEL_DRIVER, GENERIC_READ|GENERIC_WRITE,
0, None, OPEN_EXISTING, 0, None)
if os_is_64bit:
KERNEL32.Wow64RevertWow64FsRedirection(wow64)
if hFile:
p = Process(pid=os.getpid())
ppid = p.get_parent_pid()
pid_vboxservice = 0
pid_vboxtray = 0
# get pid of VBoxService.exe and VBoxTray.exe
proc_info = PROCESSENTRY32()
proc_info.dwSize = sizeof(PROCESSENTRY32)
snapshot = KERNEL32.CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
flag = KERNEL32.Process32First(snapshot, byref(proc_info))
while flag:
if proc_info.sz_exeFile == "VBoxService.exe":
log.info("VBoxService.exe found !")
pid_vboxservice = proc_info.th32ProcessID
flag = 0
elif proc_info.sz_exeFile == "VBoxTray.exe":
pid_vboxtray = proc_info.th32ProcessID
log.info("VBoxTray.exe found !")
flag = 0
flag = KERNEL32.Process32Next(snapshot, byref(proc_info))
bytes_returned = c_ulong(0)
msg = str(self.pid)+"_"+str(ppid)+"_"+str(os.getpid())+"_"+str(pi.dwProcessId)+"_"+str(pid_vboxservice)+"_"+str(pid_vboxtray)+'\0'
KERNEL32.DeviceIoControl(hFile, IOCTL_PID, msg, len(msg), None, 0, byref(bytes_returned), None)
msg = os.getcwd()+'\0'
KERNEL32.DeviceIoControl(hFile, IOCTL_CUCKOO_PATH, unicode(msg), len(unicode(msg)), None, 0, byref(bytes_returned), None)
else:
log.warning("Failed to access kernel driver")
return True
def execute(self, path, args=None, suspended=False, kernel_analysis=False):
"""Execute sample process.
@param path: sample path.
@param args: process args.
@param suspended: is suspended.
@return: operation status.
"""
if not os.access(path, os.X_OK):
log.error("Unable to access file at path \"%s\", "
"execution aborted", path)
return False
startup_info = STARTUPINFO()
startup_info.cb = sizeof(startup_info)
# STARTF_USESHOWWINDOW
startup_info.dwFlags = 1
# SW_SHOWNORMAL
startup_info.wShowWindow = 1
process_info = PROCESS_INFORMATION()
arguments = "\"" + path + "\" "
if args:
arguments += args
creation_flags = CREATE_NEW_CONSOLE
if suspended:
self.suspended = True
creation_flags += CREATE_SUSPENDED
created = KERNEL32.CreateProcessA(path,
arguments,
None,
None,
None,
creation_flags,
None,
os.getenv("TEMP"),
byref(startup_info),
byref(process_info))
if created:
self.pid = process_info.dwProcessId
self.h_process = process_info.hProcess
self.thread_id = process_info.dwThreadId
self.h_thread = process_info.hThread
log.info("Successfully executed process from path \"%s\" with "
"arguments \"%s\" with pid %d", path, args or "", self.pid)
if kernel_analysis:
return self.kernel_analyze()
return True
else:
log.error("Failed to execute process from path \"%s\" with "
"arguments \"%s\" (Error: %s)", path, args,
get_error_string(KERNEL32.GetLastError()))
return False
def resume(self):
"""Resume a suspended thread.
@return: operation status.
"""
if not self.suspended:
log.warning("The process with pid %d was not suspended at creation"
% self.pid)
return False
if not self.h_thread:
return False
KERNEL32.Sleep(2000)
if KERNEL32.ResumeThread(self.h_thread) != -1:
self.suspended = False
log.info("Successfully resumed process with pid %d", self.pid)
return True
else:
log.error("Failed to resume process with pid %d", self.pid)
return False
def set_terminate_event(self):
"""Sets the termination event for the process.
"""
if self.h_process == 0:
self.open()
event_name = TERMINATE_EVENT + str(self.pid)
event_handle = KERNEL32.OpenEventA(EVENT_MODIFY_STATE, False, event_name)
if event_handle:
# make sure process is aware of the termination
KERNEL32.SetEvent(event_handle)
KERNEL32.CloseHandle(event_handle)
KERNEL32.Sleep(500)
def terminate(self):
"""Terminate process.
@return: operation status.
"""
if self.h_process == 0:
self.open()
if KERNEL32.TerminateProcess(self.h_process, 1):
log.info("Successfully terminated process with pid %d.", self.pid)
return True
else:
log.error("Failed to terminate process with pid %d.", self.pid)
return False
def is_64bit(self):
"""Determines if a process is 64bit.
@return: True if 64bit, False if not
"""
if self.h_process == 0:
self.open()
try:
val = c_int(0)
ret = KERNEL32.IsWow64Process(self.h_process, byref(val))
if ret and not val.value and is_os_64bit():
return True
except:
pass
return False
def old_inject(self, dll, apc):
arg = KERNEL32.VirtualAllocEx(self.h_process,
None,
len(dll) + 1,
MEM_RESERVE | MEM_COMMIT,
PAGE_READWRITE)
if not arg:
log.error("VirtualAllocEx failed when injecting process with "
"pid %d, injection aborted (Error: %s)",
self.pid, get_error_string(KERNEL32.GetLastError()))
return False
bytes_written = c_int(0)
if not KERNEL32.WriteProcessMemory(self.h_process,
arg,
dll + "\x00",
len(dll) + 1,
byref(bytes_written)):
log.error("WriteProcessMemory failed when injecting process with "
"pid %d, injection aborted (Error: %s)",
self.pid, get_error_string(KERNEL32.GetLastError()))
return False
kernel32_handle = KERNEL32.GetModuleHandleA("kernel32.dll")
load_library = KERNEL32.GetProcAddress(kernel32_handle, "LoadLibraryA")
if apc or self.suspended:
if not self.h_thread:
log.info("No valid thread handle specified for injecting "
"process with pid %d, injection aborted.", self.pid)
return False
if not KERNEL32.QueueUserAPC(load_library, self.h_thread, arg):
log.error("QueueUserAPC failed when injecting process with "
"pid %d (Error: %s)",
self.pid, get_error_string(KERNEL32.GetLastError()))
return False
else:
new_thread_id = c_ulong(0)
thread_handle = KERNEL32.CreateRemoteThread(self.h_process,
None,
0,
load_library,
arg,
0,
byref(new_thread_id))
if not thread_handle:
log.error("CreateRemoteThread failed when injecting process "
"with pid %d (Error: %s)",
self.pid, get_error_string(KERNEL32.GetLastError()))
return False
else:
KERNEL32.CloseHandle(thread_handle)
return True
def check_inject(self):
if not self.pid:
return False
if self.thread_id or self.suspended:
if (self.pid, self.thread_id) in ATTEMPTED_APC_INJECTS:
return False
ATTEMPTED_APC_INJECTS[(self.pid, self.thread_id)] = True
else:
if self.pid in ATTEMPTED_THREAD_INJECTS:
return False
ATTEMPTED_THREAD_INJECTS[self.pid] = True
return True
def inject(self, dll=None, interest=None, nosleepskip=False):
"""Cuckoo DLL injection.
@param dll: Cuckoo DLL path.
@param interest: path to file of interest, handed to cuckoomon config
@param apc: APC use.
"""
global LOGSERVER_POOL
if not self.pid:
return False
thread_id = 0
if self.thread_id:
thread_id = self.thread_id
if not self.is_alive():
log.warning("The process with pid %s is not alive, "
"injection aborted", self.pid)
return False
is_64bit = self.is_64bit()
if not dll:
if is_64bit:
dll = CUCKOOMON64_NAME
else:
dll = CUCKOOMON32_NAME
elif dll == "cawsmon":
if is_64bit:
dll = CAWSMON64_NAME
else:
dll = CAWSMON32_NAME
else:
os.path.join("dll", dll)
dll = os.path.join(os.getcwd(), dll)
if not dll or not os.path.exists(dll):
log.warning("No valid DLL specified to be injected in process "
"with pid %d, injection aborted.", self.pid)
return False
if thread_id or self.suspended:
log.debug("Using QueueUserAPC injection.")
else:
log.debug("Using CreateRemoteThread injection.")
config_path = "C:\\%s.ini" % self.pid
with open(config_path, "w") as config:
cfg = Config("analysis.conf")
cfgoptions = cfg.get_options()
# start the logserver for this monitored process
logserver_path = LOGSERVER_PREFIX + str(self.pid)
if logserver_path not in LOGSERVER_POOL:
LOGSERVER_POOL[logserver_path] = LogServer(cfg.ip, cfg.port, logserver_path)
Process.process_num += 1
firstproc = Process.process_num == 1
config.write("host-ip={0}\n".format(cfg.ip))
config.write("host-port={0}\n".format(cfg.port))
config.write("pipe={0}\n".format(PIPE))
config.write("logserver={0}\n".format(logserver_path))
config.write("results={0}\n".format(PATHS["root"]))
config.write("analyzer={0}\n".format(os.getcwd()))
config.write("first-process={0}\n".format("1" if firstproc else "0"))
config.write("startup-time={0}\n".format(Process.startup_time))
config.write("file-of-interest={0}\n".format(interest))
config.write("shutdown-mutex={0}\n".format(SHUTDOWN_MUTEX))
config.write("terminate-event={0}{1}\n".format(TERMINATE_EVENT, self.pid))
if nosleepskip or ("force-sleepskip" not in cfgoptions and len(interest) > 2 and interest[1] != ':' and interest[0] != '\\' and Process.process_num <= 2):
config.write("force-sleepskip=0\n")
if "norefer" not in cfgoptions and "referrer" not in cfgoptions:
config.write("referrer={0}\n".format(get_referrer_url(interest)))
simple_optnames = [
"force-sleepskip",
"full-logs",
"force-flush",
"no-stealth",
"buffer-max",
"large-buffer-max",
"serial",
"sysvol_ctimelow",
"sysvol_ctimehigh",
"sys32_ctimelow",
"sys32_ctimehigh",
"debug",
"disable_hook_content",
"hook-type",
"exclude-apis",
"exclude-dlls",
"referrer",
]
for optname in simple_optnames:
if optname in cfgoptions:
config.write("{0}={1}\n".format(optname, cfgoptions[optname]))
orig_bin_name = ""
bit_str = ""
if is_64bit:
orig_bin_name = LOADER64_NAME
bit_str = "64-bit"
else:
orig_bin_name = LOADER32_NAME
bit_str = "32-bit"
bin_name = os.path.join(os.getcwd(), orig_bin_name)
if os.path.exists(bin_name):
ret = subprocess.call([bin_name, "inject", str(self.pid), str(thread_id), dll])
if ret != 0:
if ret == 1:
log.info("Injected into suspended %s process with pid %d", bit_str, self.pid)
else:
log.error("Unable to inject into %s process with pid %d, error: %d", bit_str, self.pid, ret)
return False
else:
return True
else:
log.error("Please place the %s binary from cuckoomon into analyzer/windows/bin in order to analyze %s binaries.", os.path.basename(bin_name), bit_str)
return False
def dump_memory(self):
"""Dump process memory.
@return: operation status.
"""
if not self.pid:
log.warning("No valid pid specified, memory dump aborted")
return False
if not self.is_alive():
log.warning("The process with pid %d is not alive, memory "
"dump aborted", self.pid)
return False
bin_name = ""
bit_str = ""
file_path = os.path.join(PATHS["memory"], "{0}.dmp".format(self.pid))
if self.is_64bit():
orig_bin_name = LOADER64_NAME
bit_str = "64-bit"
else:
orig_bin_name = LOADER32_NAME
bit_str = "32-bit"
bin_name = os.path.join(os.getcwd(), orig_bin_name)
if os.path.exists(bin_name):
ret = subprocess.call([bin_name, "dump", str(self.pid), file_path])
if ret == 1:
log.info("Dumped %s process with pid %d", bit_str, self.pid)
else:
log.error("Unable to dump %s process with pid %d, error: %d", bit_str, self.pid, ret)
return False
else:
log.error("Please place the %s binary from cuckoomon into analyzer/windows/bin in order to analyze %s binaries.", os.path.basename(bin_name), bit_str)
return False
nf = NetlogFile(os.path.join("memory", "{0}.dmp".format(self.pid)))
infd = open(file_path, "rb")
buf = infd.read(1024*1024)
try:
while buf:
nf.send(buf, retry=True)
buf = infd.read(1024*1024)
except:
infd.close()
nf.close()
log.warning("Memory dump of process with pid %d failed", self.pid)
return False
infd.close()
nf.close()
log.info("Memory dump of process with pid %d completed", self.pid)
return True
visuaMZ
L!This program cannot be run in DOS mode.
`.rsrc
@.reloc
C+Cdu^
[p/KZ dFBmI
} Ysy
st
c st
@st
c @st
l#333333?[k
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADPHjbb
Color Picker
Custom
System
Alignment Picker
Bottom Center
Bottom Left
Bottom Right
Middle Center
Middle Left
Middle Right
Top Center
Top Left
Top Right
'The assembly '{0}' could not be loaded.
uThe toolbox item could not be retrieved from the toolbox. Try removing the item from the toolbox and adding it back.
The toolbox item could not be retrieved from the toolbox. Make sure the assembly that contains the toolbox item is correctly installed. The toolbox item raised the following error: {0}
Bitmap files
Icon files
All image files
Metafiles
v2.0.50727
#Strings
<Module>
System.Drawing.Design.dll
SRDescriptionAttribute
System.Drawing.Design
SRCategoryAttribute
ExternDll
System
ImageEditor
BitmapEditor
ColorEditor
ColorPalette
ColorPaletteAccessibleObject
ColorCellAccessibleObject
ColorUI
ColorEditorListBox
ColorEditorTabControl
CustomColorDialog
SystemColorComparer
StandardColorComparer
ContentAlignmentEditor
ContentUI
CursorEditor
CursorUI
DesignerToolboxInfo
FontEditor
FontNameEditor
IconEditor
MetafileEditor
NativeMethods
ToolboxService
DomainProxyObject
FilterSupport
ToolboxItemCreator
ToolboxItemContainer
BrokenToolboxItem
ToolboxItemSerializer
ToolboxSerializationBinder
UnsafeNativeMethods
System.ComponentModel
DescriptionAttribute
CategoryAttribute
mscorlib
Object
System.Drawing
UITypeEditor
System.Windows.Forms
Control
ControlAccessibleObject
AccessibleObject
ListBox
TabControl
ColorDialog
System.Collections
IComparer
IDisposable
IToolboxService
System.ComponentModel.Design
IComponentDiscoveryService
MarshalByRefObject
System.Runtime.Serialization
ISerializable
ToolboxItem
SerializationBinder
replaced
get_Description
Description
GetLocalizedString
imageFileDescription
ColorEditorSystemTab
ColorEditorStandardTab
bitmapFileDescription
ColorEditorPaletteTab
iconFileDescription
metafileFileDescription
ContentAlignmentEditorAccName
ContentAlignmentEditorTopLeftAccName
ContentAlignmentEditorTopCenterAccName
ContentAlignmentEditorTopRightAccName
ContentAlignmentEditorMiddleLeftAccName
ContentAlignmentEditorMiddleCenterAccName
ContentAlignmentEditorMiddleRightAccName
ContentAlignmentEditorBottomLeftAccName
ContentAlignmentEditorBottomCenterAccName
ContentAlignmentEditorBottomRightAccName
ColorEditorAccName
ToolboxServiceBadToolboxItem
ToolboxServiceBadToolboxItemWithException
ToolboxServiceAssemblyNotFound
loader
System.Resources
ResourceManager
resources
s_InternalSyncObject
get_InternalSyncObject
GetLoader
System.Globalization
CultureInfo
get_Culture
get_Resources
GetString
GetObject
InternalSyncObject
Culture
Resources
Activeds
Advapi32
Comctl32
Comdlg32
Gdiplus
Hhctrl
Kernel32
Loadperf
Mscoree
Mscorwks
Oleacc
Oleaut32
Olepro32
PerfCounter
Powrprof
Shell32
Shfolder
User32
Uxtheme
Winspool
Wtsapi32
Version
Vsassert
Shlwapi
Crypt32
Odbc32
OciDll
OraMtsDll
imageExtenders
FileDialog
fileDialog
GetImageExtenders
CreateExtensionsString
CreateFilterEntry
ITypeDescriptorContext
IServiceProvider
EditValue
UITypeEditorEditStyle
GetEditStyle
GetFileDialogDescription
GetExtensions
GetPaintValueSupported
System.IO
Stream
LoadFromStream
PaintValueEventArgs
PaintValue
colorUI
CELLS_ACROSS
CELLS_DOWN
CELLS_CUSTOM
CELL_SIZE
MARGIN
staticCells
staticColors
selectedColor
customColors
EventHandler
onPicked
get_CustomColors
get_FocusedCell
get_SelectedColor
set_SelectedColor
add_Picked
remove_Picked
CreateAccessibilityInstance
EventArgs
OnPicked
Rectangle
FillRectWithCellBounds
GetCellFromColor
GetColorFromCell
GetCell2DFromLocationMouse
GetCellFromLocationMouse
Get1DFrom2D
Get2DFrom1D
InvalidateSelection
InvalidateFocus
IsInputKey
LaunchDialog
OnGotFocus
KeyEventArgs
OnKeyDown
OnLostFocus
MouseEventArgs
OnMouseDown
OnMouseMove
OnMouseUp
PaintEventArgs
OnPaint
Graphics
ProcessDialogKey
SetFocus
CustomColors
FocusedCell
SelectedColor
Picked
get_ColorPalette
GetChildCount
GetChild
HitTest
parent
get_Bounds
get_Name
get_Parent
AccessibleRole
get_Role
AccessibleStates
get_State
get_Value
Bounds
Parent
editor
System.Windows.Forms.Design
IWindowsFormsEditorService
tabControl
TabPage
systemTabPage
commonTabPage
paletteTabPage
lbSystem
lbCommon
systemColorConstants
colorConstants
commonHeightSet
systemHeightSet
get_ColorValues
set_CustomColors
get_EditorService
get_SystemColorValues
AdjustColorUIHeight
AdjustListBoxItemHeight
GetBestColor
GetConstants
InitializeComponent
OnFontChanged
OnListClick
DrawItemEventArgs
OnListDrawItem
OnListKeyDown
OnPalettePick
OnTabControlResize
OnTabControlSelChange
ColorValues
EditorService
SystemColorValues
COLOR_HUE
COLOR_SAT
COLOR_LUM
COLOR_RED
COLOR_GREEN
COLOR_BLUE
COLOR_ADD
COLOR_MIX
hInstance
get_Instance
get_Options
Dispose
HookProc
Instance
Options
Compare
contentUI
RadioButton
topLeft
topCenter
topRight
middleLeft
middleCenter
middleRight
bottomLeft
bottomCenter
bottomRight
ContentAlignment
get_Align
set_Align
get_ShowFocusCues
InitComponent
OptionClick
get_CheckedControl
set_CheckedControl
ShowFocusCues
CheckedControl
cursorUI
get_IsDropDownResizable
IsDropDownResizable
TypeConverter
cursorConverter
OnClick
OnDrawItem
_toolboxService
IDesignerHost
ISelectionService
_selectionService
ArrayList
_filter
IDesigner
_filterDesigner
IToolboxUser
_toolboxUser
Hashtable
_attributeHash
get_DesignerHost
ICollection
get_Filter
get_ToolboxUser
RefreshEventArgs
OnTypeDescriptorRefresh
AttributeCollection
GetDesignerAttributes
RecurseDesignerTree
OnDesignerDisposed
OnSelectionChanged
Update
System.IDisposable.Dispose
DesignerHost
Filter
ToolboxUser
FontDialog
fontDialog
FontFamily
FontStyle
DrawFontSample
EM_GETSEL
EM_SETSEL
EM_GETRECT
EM_SETRECT
EM_SETRECTNP
EM_SCROLL
EM_LINESCROLL
EM_SCROLLCARET
EM_GETMODIFY
EM_SETMODIFY
EM_GETLINECOUNT
EM_LINEINDEX
EM_SETHANDLE
EM_GETHANDLE
EM_GETTHUMB
EM_LINELENGTH
EM_REPLACESEL
EM_GETLINE
EM_LIMITTEXT
EM_CANUNDO
EM_UNDO
EM_FMTLINES
EM_LINEFROMCHAR
EM_SETTABSTOPS
EM_SETPASSWORDCHAR
EM_EMPTYUNDOBUFFER
EM_GETFIRSTVISIBLELINE
EM_SETREADONLY
EM_SETWORDBREAKPROC
EM_GETWORDBREAKPROC
EM_GETPASSWORDCHAR
EM_SETMARGINS
EM_GETMARGINS
EM_SETLIMITTEXT
EM_GETLIMITTEXT
EM_POSFROMCHAR
EM_CHARFROMPOS
EC_LEFTMARGIN
EC_RIGHTMARGIN
EC_USEFONTINFO
IDCANCEL
IDABORT
IDRETRY
IDIGNORE
IDCLOSE
IDHELP
WM_INITDIALOG
SWP_NOSIZE
SWP_NOMOVE
SWP_NOZORDER
SWP_NOREDRAW
SWP_NOACTIVATE
SWP_FRAMECHANGED
SWP_SHOWWINDOW
SWP_HIDEWINDOW
SWP_NOCOPYBITS
SWP_NOOWNERZORDER
SWP_NOSENDCHANGING
SWP_DRAWFRAME
SWP_NOREPOSITION
SWP_DEFERERASE
SWP_ASYNCWINDOWPOS
WM_COMMAND
CC_FULLOPEN
CC_PREVENTFULLOPEN
CC_SHOWHELP
CC_ENABLEHOOK
CC_ENABLETEMPLATE
CC_ENABLETEMPLATEHANDLE
CC_SOLIDCOLOR
CC_ANYCOLOR
InvalidIntPtr
SendDlgItemMessage
GetDlgItem
EnableWindow
SetWindowPos
GetDlgItemInt
PostMessage
MAKELONG
MAKELPARAM
HIWORD
LOWORD
SignedHIWORD
SignedLOWORD
lstrlen
RegisterWindowMessage
IDesignerEventService
_designerEventService
_globalCreators
_designerCreators
_lastMergedHost
_lastMergedCreators
_lastState
_domainObject
AppDomain
_domain
System.Runtime.Remoting.Lifetime
ClientSponsor
_domainObjectSponsor
CategoryNameCollection
get_CategoryNames
get_SelectedCategory
set_SelectedCategory
get_SelectedItemContainer
set_SelectedItemContainer
CreateItemContainer
IDataObject
FilterChanged
GetCreatorCollection
GetFilterSupport
GetItemContainers
GetToolboxItem
System.Reflection
Assembly
GetToolboxItems
AssemblyName
IsItemContainer
IsItemContainerSupported
OnDesignerInfoChanged
Refresh
SelectedItemContainerUsed
SetCursor
UnloadToolboxItems
System.Drawing.Design.IToolboxService.get_CategoryNames
System.Drawing.Design.IToolboxService.get_SelectedCategory
System.Drawing.Design.IToolboxService.set_SelectedCategory
ToolboxItemCreatorCallback
System.Drawing.Design.IToolboxService.AddCreator
AddCreator
System.Drawing.Design.IToolboxService.AddLinkedToolboxItem
AddLinkedToolboxItem
System.Drawing.Design.IToolboxService.AddToolboxItem
AddToolboxItem
System.Drawing.Design.IToolboxService.DeserializeToolboxItem
DeserializeToolboxItem
System.Drawing.Design.IToolboxService.GetSelectedToolboxItem
GetSelectedToolboxItem
ToolboxItemCollection
System.Drawing.Design.IToolboxService.GetToolboxItems
System.Drawing.Design.IToolboxService.IsSupported
IsSupported
System.Drawing.Design.IToolboxService.IsToolboxItem
IsToolboxItem
System.Drawing.Design.IToolboxService.Refresh
System.Drawing.Design.IToolboxService.RemoveCreator
RemoveCreator
System.Drawing.Design.IToolboxService.RemoveToolboxItem
RemoveToolboxItem
System.Drawing.Design.IToolboxService.SelectedToolboxItemUsed
SelectedToolboxItemUsed
System.Drawing.Design.IToolboxService.SerializeToolboxItem
SerializeToolboxItem
System.Drawing.Design.IToolboxService.SetCursor
System.Drawing.Design.IToolboxService.SetSelectedToolboxItem
SetSelectedToolboxItem
System.ComponentModel.Design.IComponentDiscoveryService.GetComponentTypes
GetComponentTypes
CategoryNames
SelectedCategory
SelectedItemContainer
System.Drawing.Design.IToolboxService.CategoryNames
System.Drawing.Design.IToolboxService.SelectedCategory
value__
NotSupported
Supported
Custom
_callback
_format
Create
get_Format
Format
_localClipboardFormat
_itemClipboardFormat
_hashClipboardFormat
_serializationFormats
_serializationValues
_clipboardVersion
_hashCode
_toolboxItem
_dataObject
SerializationInfo
StreamingContext
get_IsCreated
get_IsTransient
get_ToolboxData
UpdateFilter
ContainsFormat
Equals
GetFilter
GetHashCode
GetObjectData
MergeFilter
System.Runtime.Serialization.ISerializable.GetObjectData
IsCreated
IsTransient
ToolboxData
_exceptionString
IComponent
CreateComponentsCore
_assemblyNameKey
_streamKey
System.Runtime.Serialization.Formatters.Binary
BinaryFormatter
_formatter
get_ToolboxItem
_assemblies
_namePart
BindToType
OBJID_CLIENT
System.Runtime.InteropServices
HandleRef
ClientToScreen
ScreenToClient
GetFocus
NotifyWinEvent
System.Runtime.CompilerServices
RuntimeCompatibilityAttribute
AssemblyKeyFileAttribute
AssemblyDelaySignAttribute
NeutralResourcesLanguageAttribute
SatelliteContractVersionAttribute
AssemblyInformationalVersionAttribute
AssemblyFileVersionAttribute
AssemblyVersionAttribute
AssemblyCopyrightAttribute
AssemblyProductAttribute
AssemblyCompanyAttribute
AssemblyDefaultAliasAttribute
AssemblyDescriptionAttribute
AssemblyTitleAttribute
CLSCompliantAttribute
ComVisibleAttribute
System.Diagnostics
DebuggableAttribute
DebuggingModes
CompilationRelaxationsAttribute
AttributeUsageAttribute
AttributeTargets
description
set_DescriptionValue
category
System.Threading
Interlocked
CompareExchange
GetType
get_Assembly
Monitor
ParamArrayAttribute
String
get_Length
Substring
Concat
get_CurrentCulture
IFormatProvider
System.Security.Permissions
SecurityPermissionAttribute
SecurityAction
extensions
context
provider
RuntimeTypeHandle
GetTypeFromHandle
GetService
OpenFileDialog
Activator
BindingFlags
Binder
CreateInstance
IsInstanceOfType
set_Filter
CommonDialog
DialogResult
ShowDialog
get_FileName
FileStream
FileMode
FileAccess
FileShare
IntPtr
op_Inequality
AddRange
ToArray
stream
MemoryStream
FromStream
get_Width
set_Width
get_Height
set_Height
get_Graphics
SystemPens
get_WindowFrame
DrawRectangle
DrawImage
.cctor
PermissionSetAttribute
Bitmap
DropDownControl
SolidBrush
FillRectangle
ControlStyles
SetStyle
SystemColors
get_Control
set_BackColor
set_Size
ColorTranslator
FromOle
Delegate
Combine
Remove
Invoke
across
Inflate
Invalidate
get_Handle
keyData
customIndex
CloseDropDown
get_Color
Component
get_KeyCode
MouseButtons
get_Button
Contains
get_BackColor
get_ClientRectangle
get_ControlText
ControlPaint
ButtonBorderStyle
DrawBorder
get_Focused
DrawFocusRectangle
newFocus
<PrivateImplementationDetails>{89757899-423F-490E-B04A-72754CC2C429}
CompilerGeneratedAttribute
ValueType
__StaticArrayInitTypeSize=192
$$method0x600011b-1
RuntimeHelpers
RuntimeFieldHandle
InitializeArray
get_Owner
ToString
get_White
get_Size
GetTabRect
get_Font
set_ItemHeight
ToArgb
enumType
PropertyInfo
GetProperties
get_PropertyType
MethodInfo
GetGetMethod
MethodBase
MethodAttributes
get_Attributes
GetValue
set_AccessibleName
TabPageCollection
get_TabPages
set_TabStop
set_SelectedTab
add_SelectedIndexChanged
DockStyle
set_Dock
add_Resize
DrawMode
set_DrawMode
BorderStyle
set_BorderStyle
set_IntegralHeight
set_Sorted
add_Click
DrawItemEventHandler
add_DrawItem
KeyEventHandler
add_KeyDown
add_FontChanged
ObjectCollection
get_Items
ControlCollection
get_Controls
sender
get_SelectedItem
get_Index
get_Item
DrawBackground
get_WindowText
get_ForeColor
DrawString
SetBounds
set_Bounds
set_Location
get_SelectedTab
System.Windows.Forms.Layout
ArrangedElementCollection
get_Count
get_SelectedIndex
set_SelectedItem
ListControl
Module
get_Module
GetManifestResourceStream
get_Position
Marshal
AllocHGlobal
disposing
FreeHGlobal
wParam
lParam
op_Explicit
set_Color
Boolean
FromArgb
get_InvariantCulture
GetHue
GetSaturation
GetBrightness
get_Checked
set_Checked
set_ForeColor
set_TabIndex
set_Text
Appearance
set_Appearance
AnchorStyles
set_Anchor
get_TabIndex
get_IsHandleCreated
Cursors
Cursor
get_Default
TypeDescriptor
GetConverter
GetStandardValuesSupported
GetStandardValues
IEnumerable
IEnumerator
GetEnumerator
get_Current
MoveNext
ConvertToString
SystemBrushes
DrawStretched
set_SelectedIndex
toolboxService
add_SelectionChanged
get_RootComponent
add_Disposed
RefreshEventHandler
add_Refreshed
get_ComponentChanged
designer
ArgumentNullException
ITreeDesigner
GetDesigner
get_Values
Attribute
CopyTo
GetAttributes
get_TypeId
set_Item
IServiceContainer
RemoveService
get_PrimarySelection
ToolboxItemFilterAttribute
ToolboxItemFilterType
get_FilterType
remove_SelectionChanged
remove_Disposed
remove_Refreshed
set_ShowApply
set_ShowColor
set_AllowVerticalFonts
set_Font
op_Equality
get_ActiveCaption
get_Right
get_Bottom
DrawLine
fontFamily
fontStyle
GraphicsUnit
get_ActiveCaptionText
RectangleF
op_Implicit
DrawIcon
System.Drawing.Imaging
Metafile
DllImportAttribute
user32.dll
nIDDlgItem
enable
hWndInsertAfter
signed
wparam
lparam
kernel32.dll
StructLayoutAttribute
LayoutKind
dataObject
itemFilter
targetFilter
get_FilterString
categoryName
toolType
nonPublic
get_IsPublic
get_IsNestedPublic
IsAssignableFrom
get_IsAbstract
ToolboxItemAttribute
IsDefaultAttribute
get_ToolboxItemType
ConstructorInfo
GetConstructor
Initialize
get_ContainsGenericParameters
newCodeBase
throwOnError
get_GlobalAssemblyCache
GetName
set_CodeBase
GetTypes
IContainer
set_AssemblyName
CreateDomain
get_FullName
CreateInstanceAndUnwrap
TimeSpan
Register
Deserialize
GetDataPresent
container
AddService
GetToolSupported
get_ActiveDesigner
get_Cross
set_Current
Unload
creator
format
toolboxItem
serializedObject
DataObject
filterAttributes
RemoveAt
designerHost
baseType
ReadOnlyCollectionBase
get_CodeBase
get_LocalPath
LoadFrom
ArgumentException
ReflectionTypeLoadException
Exception
get_LoaderExceptions
get_Message
Serialize
GetBuffer
FileNotFoundException
BadImageFormatException
IOException
callback
SerializableAttribute
SetData
get_DisplayName
get_AssemblyName
get_TypeName
BinaryWriter
creators
GetData
BinaryReader
ReadInt16
ReadString
GetFormats
AddValue
exceptionString
InvalidOperationException
get_Binder
set_Binder
assemblyName
typeName
StartsWith
Exists
System.Security
SuppressUnmanagedCodeSecurityAttribute
InAttribute
OutAttribute
winEvent
objType
System.Drawing.Design.SR.resources
System.Drawing.Design.colordlg.data
IJruL)
(]b,e,
=t]o-~^
System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Security.Permissions.SecurityPermissionFlag, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Security.Permissions.PermissionSetAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
FullTrust
System.Security.Permissions.PermissionSetAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
FullTrust
System.Security.Permissions.PermissionSetAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
FullTrust
System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Security.Permissions.SecurityPermissionFlag, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
WrapNonExceptionThrows
*f:\RedBits\Tools\devdiv\FinalPublicKey.snk
2.0.0.0
2.0.50727.1433
Microsoft Corporation. All rights reserved.
Microsoft
.NET Framework
Microsoft Corporation
System.Drawing.Design.dll
RSDS7=
`BKkfz
System.Drawing.Design.pdb
_CorDllMain
mscoree.dll
visuaMZ
L!This program cannot be run in DOS mode.
BBB^BhB^BgBC
B[BDB_BRichB
`.data
@.reloc
TypeLib
Software
SYSTEM
SECURITY
Hardware
Interface
FileType
Component Categories
PDelete
NoRemove
ForceRemove
P P- P1P2Pb3PE4PW4P4P>!P92P P
!PHKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
FUnRegisterTypeLib
oleaut32.dll
vsansi.dll
Yvsansi.dll
SOFTWARE\Microsoft\VSAnsi
JFPNFP,
\\cpvsbuild\drops\ofc10.0\raw\9122\vsbuilt\retail\bin\i386\vspkgs\cmddef.pdb
SVWeue
WgP_D$
;5hPr3^
s(W3;t
V $9>u5hP
;5hPr_^[UQQS]
hPhgPt$
Vq(;]ti
9 u-MEhP]_9 u
h|hPEE[
3;t/'F
P;unVPP
;tGWtB5
tF;t.P
SVWe3uQ
AAf:'u
AABBf!
PYYu'35(
^3[V3N
_^Ujhp
SVWe3uQ
_^[US39]
;tSSWVju
UQQS39]
SSWVju
;|C{uq9]
3@3U,E
7@PQEP
UQS39]
;tSSWVju
u3@e_^[
UQQS39
VW]tl9C
PPSVjWPP
|3e_^[
u PP6W
P?{u:W
uL9]tGh
PSVSSSWu
9]tLuM
t= PP3u
SVW3P}u;
WSjPVVf3
PEPVVS
39u~7M
G;}|3E
V348hPt$
<0|#<9~
UQ3PPPPPPPMQPPPu
?=u/W-|'
33Mu;uPW=
P;u6EPVVVEPPVuE
P_MF^[
UQS39]
SSu Wju
SSWVju
;tSSWVju
UQS39]
SSu Wju
SSWVju
;tSSWVju
SEPVWu
UQQS39]
;tSSWVju
MVe_^[
Vjt$ Pt$0
t%Vf6f\t
SVQPNu
bulEPh4
P|Q93WtI}
u3_M^[
VWEPEPu
PQ0?hD
VEPEPSu
(|jWuPt,=gPPS+u
sH7;t59E
sH7t4}
s(W3tF
s(W3tF
gPPPPEPP{
VVPEPP\
PPVVP@
P<j2$Pu
PUQQSVW39]
}tg9 t
UQQSVW39}
YYj\u$
;YYtsh
;t&E;t U
ZYQRhgPL$
t)3I;M
4 QPBu3_^[]
Pu^EPPEPSh
P^[Ul$
E@E|EPMT33}8}\EH$
M`MdMhu EHE|E|Pj
E,0E|+E0ul
M\u#EPE
@lhPEXuWtSuT3I
P3fu0=lhP
EHPYEx
thP3;t
EluQuT
PEhphP;t
Elu EHE|E|Pj
P;Elt'39{
P3thP;
u<M@9H
u4;p4u/u0bu8Y
ExYu\V
PEhphP;t
Ex9}xu
EHExExPj
PEdExExM|
M`MxMdMHQj
Ex_^[p
xhPY?u<hPt3
u7WPSt
u&WVSu
PhhPhhPt$
SVWeEh
_^[Ujh
SVWeEp
|hPth(HPZY
h2HPDY
hP#|hPyhP
lstrlenW
GetModuleFileNameW
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
DisableThreadLibraryCalls
InterlockedIncrement
InterlockedDecrement
MultiByteToWideChar
lstrlenA
GetShortPathNameA
GetModuleHandleA
GetModuleFileNameA
WideCharToMultiByte
FreeLibrary
SizeofResource
LoadResource
FindResourceA
LoadLibraryExA
GetLastError
lstrcmpiA
lstrcpynA
IsDBCSLeadByte
CloseHandle
ReadFile
GetFileSize
CreateFileA
lstrcpyA
lstrcatA
GetProcAddress
LoadLibraryA
LocalAlloc
InterlockedExchange
GetVersionExA
RaiseException
KERNEL32.dll
CharNextA
USER32.dll
RegDeleteKeyA
RegCreateKeyExA
RegDeleteValueA
RegCloseKey
RegOpenKeyExA
RegSetValueExA
RegQueryInfoKeyA
RegEnumKeyExA
RegQueryValueExA
ADVAPI32.dll
CoCreateInstance
CoTaskMemFree
CoTaskMemAlloc
CoTaskMemRealloc
StringFromGUID2
ole32.dll
OLEAUT32.dll
??3@YAXPAX@Z
_except_handler3
realloc
??2@YAPAXI@Z
wcscat
_wmakepath
_wsplitpath
swprintf
wcschr
wcslen
_initterm
malloc
_adjust_fdiv
MSVCR70.dll
__dllonexit
_onexit
memset
cmddef.dll
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
VSDllRegisterServer
VSDllUnregisterServer
P=L9o<
hfP`PPXfP`PPHfP`PP8fP`PP(fP`PP
fP`PPeP`PPeP`PPeP`PPeP`PPeP`PPeP`PPeP`PPeP`PPlePxPPTePxPPDePxPP4ePPP(ePPP
ePPPdPPPdPPPdPPPdPPPdPPPdPPPdPPPdPPPxdPPPldPPPTdPPP@dPPP,dPPP
dPPPcPPPcPPPcPPPcPPPcPPPcPPP|cPPPlcPPP`cPPPTcPPPDcPPP8cPPP$cPPP
cPPPbPPPbPPPbPPPbPPPbPPPbPPPbPPPtbPPPTbPPPDbPPP4bPPP$bPPP
bPPPaPPPaPPPaPPPaPPPaPPPaPPPaPPPpaPPPXaPPPDaPPP,aPPP
aPPP`PPP`PPP`PPP`PPP`PPP`PPPt`PPP``PPPL`PPP8`PPP(`PPP
`PPP_PPP_PPP_PPP_PPP_PPP_PPP_PPP|_PPPp_PPPd_PPPX_PPPL_PPP@_PPP4_PPP(_PPP
_PPP^PPP^PPP^PPP^PPP^PPP^PPP^PPPd^PPPP^PPP<^PPP,^PPP
^PPP]PPP]PPP]PPP]PPP]PPP]PPP]PPPx]PPPh]PPPX]PPPL]PPP@]PPP4]PPP(]PPP
]PPP\PPP\PPP\PPP\PPP\PPP\PPPp\PPP`\PPPT\PPPD\PPP0\PPP \PPP
\PPP[PPP[PPP[PPP[PPP[PPP[PPP[PPP[PPP[PPPp[PPPd[PPPX[PPP@[PPP0[PPP
[PPPZPPPZPPPZPPPZPPPZPPPZPPPZPPPZPPPZPPPtZPPP`ZPPPTZPPPHZPPP8ZPPP,ZPPP
ZPPPYPPPYPPPYPPPYPPPYPPPYPPPtYPPPhYPPPTYPPPDYPPP0YPPP YPPP
YPPPXPPPXPPPXPPPXPPPXPPPXPPPXPPP|XPPPhXPPP\XPPPPXPPPDXPPP8XPPP XP
OpenPrinterW
DocumentPropertiesW
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
wsprintfW
wvsprintfW
WinHelpW
VkKeyScanW
UnregisterClassW
TranslateAcceleratorW
TabbedTextOutW
SystemParametersInfoW
SetWindowTextW
SetWindowsHookExW
SetWindowLongW
SetPropW
SetMenuItemInfoW
SetDlgItemTextW
SetClassLongW
SendNotifyMessageW
SendMessageW
SendDlgItemMessageW
RemovePropW
RegisterWindowMessageW
RegisterClipboardFormatW
RegisterClassExW
RegisterClassW
PostThreadMessageW
PostMessageW
PeekMessageW
OemToCharW
ModifyMenuW
MessageBoxIndirectW
MessageBoxW
MapVirtualKeyW
LoadStringW
LoadMenuW
LoadMenuIndirectW
LoadImageW
LoadIconW
LoadCursorW
LoadBitmapW
LoadAcceleratorsW
IsDialogMessageW
IsCharAlphaW
IsCharAlphaNumericW
InsertMenuW
GrayStringW
GetWindowTextW
GetWindowTextLengthW
GetWindowLongW
GetTabbedTextExtentW
GetPropW
GetMessageW
GetDlgItemTextW
GetClassNameW
GetClassLongW
GetClassInfoExW
GetClassInfoW
FindWindowW
DrawTextW
DrawTextExW
DispatchMessageW
DialogBoxParamW
DialogBoxIndirectParamW
DefWindowProcW
DefMDIChildProcW
DefFrameProcW
DefDlgProcW
DdeInitializeW
DdeCreateStringHandleW
CreateWindowExW
CreateMDIWindowW
CreateDialogParamW
CreateDialogIndirectParamW
CreateAcceleratorTableW
CopyAcceleratorTableW
CharUpperW
CharUpperBuffW
CharToOemW
CharPrevW
CharNextW
CharLowerW
CharLowerBuffW
CallWindowProcW
AppendMenuW
SHGetPathFromIDListW
SHGetFileInfoW
ShellExecuteExW
Shell_NotifyIconW
SHBrowseForFolderW
FindExecutableW
ExtractIconExW
ExtractIconW
ExtractAssociatedIconW
DragQueryFileW
StgCreateDocfile
WNetGetConnectionW
WritePrivateProfileStringW
VerLanguageNameW
SetLocaleInfoW
SetFileAttributesW
SetEnvironmentVariableW
SetCurrentDirectoryW
SearchPathW
RemoveDirectoryW
OutputDebugStringW
MoveFileW
MoveFileExW
lstrlenW
lstrcpyW
lstrcpynW
lstrcmpW
lstrcmpiW
lstrcatW
LoadLibraryW
LoadLibraryExW
LCMapStringW
IsBadStringPtrW
GlobalGetAtomNameW
GlobalFindAtomW
GlobalAddAtomW
GetVolumeInformationW
GetVersionExW
GetTimeFormatW
GetTempPathW
GetTempFileNameW
GetSystemDirectoryW
GetStringTypeExW
GetShortPathNameW
GetProfileIntW
GetPrivateProfileStringW
GetPrivateProfileIntW
GetNumberFormatW
GetModuleHandleW
GetModuleFileNameW
GetLocaleInfoW
GetFullPathNameW
GetFileAttributesExW
GetFileAttributesW
GetEnvironmentStringsW
GetEnvironmentVariableW
GetDriveTypeW
GetDiskFreeSpaceExW
GetDateFormatW
GetCurrencyFormatW
GetCurrentDirectoryW
GetComputerNameW
FreeEnvironmentStringsW
FormatMessageW
FindResourceW
FindNextFileW
FindFirstFileW
FindFirstChangeNotificationW
FatalAppExitW
ExpandEnvironmentStringsW
DeleteFileW
CreateSemaphoreW
CreateProcessW
CreateMutexW
CreateFileW
CreateFileMappingW
CreateEventW
CreateDirectoryW
CreateDirectoryExW
CopyFileW
CompareStringW
StartDocW
ResetDCW
GetTextMetricsW
GetTextFaceW
GetTextExtentExPointW
GetTextExtentPointW
GetTextExtentPoint32W
GetOutlineTextMetricsW
GetObjectW
GetKerningPairsW
GetGlyphOutlineW
GetCharWidthW
GetCharWidthFloatW
GetCharABCWidthsW
GetCharABCWidthsFloatW
ExtTextOutW
CreateMetaFileW
CreateICW
CreateFontW
CreateFontIndirectW
CreateEnhMetaFileW
CreateDCW
CopyMetaFileW
PrintDlgW
GetSaveFileNameW
GetOpenFileNameW
GetFileTitleW
ChooseFontW
ChooseColorW
PropertySheetW
ImageList_LoadImageW
CreatePropertySheetPageW
RegSetValueW
RegSetValueExW
RegQueryValueW
RegQueryValueExW
RegQueryInfoKeyW
RegOpenKeyW
RegOpenKeyExW
RegEnumKeyExW
RegEnumValueW
RegEnumKeyW
RegDeleteValueW
RegDeleteKeyW
RegCreateKeyW
RegCreateKeyExW
GetUserNameW
winspool.drv
winmm.dll
version.dll
user32.dll
url.dll
shell32.dll
rpcrt4.dll
rasapi32.dll
opengl32.dll
oledlg.dll
ole32.dll
mswsock.dll
msvfw32.dll
mpr.dll
lz32.dll
kernel32.dll
imm32.dll
gdi32.dll
comdlg32.dll
comctl32.dll
avifil32.dll
avicap32.dll
advapi32.dll
%REGROOTBEGIN%
NoRemove Packages
ForceRemove %MENU_PKG_GUID% = s 'Commands definition Package'
{
val InprocServer32 = s '%MODULE%'
ForceRemove SatelliteDll
{
val DllName = s 'cmddefui.dll'
val Path = s '%MODULE_DIR%'
}
}
NoRemove Menus
ForceRemove val %MENU_PKG_GUID% = s '%MENU_RES%'
%REGROOTEND%
11111111@2D2H2L2P2T2X2\2222222222224383<3@3D3H3L3P3T3X3\3`3d3h3l3t3x384@4H4P4X4`4h4p4x444444444444445555555555555555(6,6064686<6@6D66666666666666666666
7777777
8Y8b8z8888A9]999D::::::::::
;q;;;;$<T<Z<_<l<<<<<
=H=Z=l==
><>A>d>
??????
"0J0g00000T1~1111
22n33333%444
5#5:555
616h6666
7D7Q7777
8(818>888888
<7<V<t<<<<===<>m>z>>7?Q??????????????
0"0:00*1r111
2O2y222#33333
6+6G6s6y6666
7>7S7[7a7
8*818V8u88
9%9C:R:\:f:}:;;:<d<<<<<<<<<&=<=s===0>P>o>>>>>
?!?R????????
0$0=0H0h00
1 161E1l1y111111*2>2T2a2h2s2z22
363I333333333333333
4"4(4I4[44440565<5E5J5O5t5z5555555555
6,636l666666F7v777777777
8 8)838
0 0$0(0,0004080<0@0D0H0L0`0h0p0x00000000000000000
1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|111111111111111111111111111111111
2 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2d2h2l2p2t2x2|222222222222222222222222222222222
3 3$3(3,3034383<3@3D3H3L3P3T3X3\3`3d3h3l3p3t3x3|333333333333333333333333333333333
4 4$4(4,4044484<4@4D4H4L4P4T4X4\4`4d4h4l4p4t4x4|444444444444444444444444444444444
5 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|555555555555555555555555555555555
6 6$6(6,6064686<6@6D6H6L6P6T6X6\6`6d6h6l6p6t6x6|666666666666666666666666666666666
7 7$7(7,7074787<7@7D7H7L7P7T7X7\7`7d7h7l7p7t7x7|777777777777777777777
TNPPOA
kmsOAMSOFFICE9.0
0*0*0*
`T`T`T`T0*
visua18:35:41 - Startup
18:35:42 - Bound UDP socket waiting for commands, error: 0
18:35:42 - Nothing received yet
18:35:43 - Nothing received yet
18:35:44 - Nothing received yet
18:35:45 - Nothing received yet
18:35:46 - Nothing received yet
18:35:47 - Nothing received yet
18:35:48 - Nothing received yet
18:35:49 - Nothing received yet
18:35:51 - Nothing received yet
18:35:52 - Nothing received yet
18:35:53 - Nothing received yet
18:35:54 - Nothing received yet
visuaMZ
L!This program cannot be run in DOS mode.
`.rsrc
@.reloc
'}JQ|g
Y+\\-%
Gh7<D*pPw9
Wq?pL h7
hQ1EyT
f:\VS70Builds\5077\vsbuilt\retail\bin\i386\msosec.pdb
v1.1.4324
#Strings
<Module>
msosec.dll
mscorlib
System
Object
AssemblyRef
System.Security.Policy
IMembershipCondition
System.Security
ISecurityEncodable
ISecurityPolicyEncodable
OfficeDocumentMembershipCondition
Microsoft.Office.Security.Policy
OfficeDocument
VsAssemblyVer
NdpAssemblyVer
MicrosoftVisualBasicVsa
MicrosoftJScript
MicrosoftVisualBasicVsaDt
Evidence
System.Security.Policy.IMembershipCondition.Check
System.Security.Policy.IMembershipCondition.Copy
System.Security.Policy.IMembershipCondition.Equals
Equals
System.Security.Policy.IMembershipCondition.ToString
ToString
SecurityElement
System.Security.ISecurityEncodable.ToXml
System.Security.ISecurityEncodable.FromXml
FromXml
PolicyLevel
System.Security.ISecurityPolicyEncodable.ToXml
System.Security.ISecurityPolicyEncodable.FromXml
System.Reflection
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyDescriptionAttribute
AssemblyTitleAttribute
AssemblyCompanyAttribute
AssemblyKeyFileAttribute
AssemblyDelaySignAttribute
AssemblyFileVersionAttribute
AssemblyVersionAttribute
msosec
SerializableAttribute
rootEvidence
System.Collections
IEnumerator
GetHostEnumerator
get_Current
MoveNext
GetType
String
LastIndexOf
Substring
get_AssemblyQualifiedName
Escape
AddAttribute
ArgumentException
Attribute
op_Inequality
(]b,e,
=t]o-~^
#Visual Studio .NET Tools for Office
8Copyright
Microsoft Corporation. All rights reserved.
Custom membership condition
Microsoft Corporation
<f:\VS70Builds\5077\vs\src\common\security\FinalPublicKey.snk
7.10.5077.0
_CorDllMain
mscoree.dll
visuaL
PO :i
PROGRA~1
NetTime
^Gh^Gh
NetTime.exe
^Gh^Gh
C:\Program Files\NetTime\NetTime.exe
base-xp
TJu'x};
TJu'x};
yrkxeP:#
zgMB6)
{vlaWLB7-"
vr^J6"
'.49>ADFFE
D}A|=|8{2{,{%{
|zwuspnksz
}{xvtromt{
}{ywtrpnu}
}{yxvtrpw~
}{zxvusqx
~|{yxvusz
~|{zxwut{
~}|{yxwv}
~}|{zzyx~
visua[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-8964
visuaMZ
L!This program cannot be run in DOS mode.
`.rdata
@.data
@.NewSec
RR G n
^UQQ=`W@
EPEPV@
UQ=`W@
ADiS3B+
QSUVWD$
u8-TR@
tQ3;tKxP@
_^][Y_^][Y
_^]3[Y
UQV5lR@
SVW3jD^V3ESGPE`
]X]P]D]\]H]T]@]LE0
t3SE0PEPPEXP
E<trEx
t3SE0PE\PEDP
Ex t3SE0PETPEHP
?"E|t#
]tE PEPutSu`uLSSu|S
u\9]Xt
uX9]Tt
uTu$Ex
9]<tEW@
j(hdW@
u\9]Dt
uD9]Pt
uP9]Xt
uX9]Tt
uT9]Ht
9]tu4W
t8;Yv%>\t
E|Y+Y\
Etj<^VESP
EEtEEpE
9]<t:W@
j(hdW@
u|S5V@
E@_^[d
=V5lW@
I9\tPP
.\u%\u
SVW339
YY?Vt$
VW=DR@
]UQtW@
EEPMQUR
Information
Couldn't open the file!
C:/exp/
[File]
[Sub-Dir]
o%}oooooEo%o
[}#}9}S}P}%[}}
}>}My}3}]}#C}8}k
}h}8});}
'}&}O=}
}@}$)}3}[}
D}U6}=}U=}p'}
memset
MSVCRT.dll
GetModuleHandleA
HeapCreate
HeapDestroy
ExitProcess
KERNEL32.dll
memcpy
_stricmp
strncmp
_strnicmp
strcmp
memmove
strlen
strcpy
strcat
strncpy
GetCurrentThreadId
GetTickCount
HeapAlloc
HeapFree
WriteFile
CloseHandle
CreateFileA
GetFileSize
ReadFile
SetFilePointer
InitializeCriticalSection
GetModuleFileNameA
GetCurrentProcess
DuplicateHandle
CreatePipe
GetStdHandle
CreateProcessA
WaitForSingleObject
EnterCriticalSection
LeaveCriticalSection
GetCurrentProcessId
GetDriveTypeA
FindFirstFileA
FindClose
GetFileAttributesA
CreateDirectoryA
GetLastError
FindNextFileA
SetFileAttributesA
HeapReAlloc
InitCommonControls
COMCTL32.DLL
MessageBoxA
GetWindowThreadProcessId
IsWindowVisible
IsWindowEnabled
GetForegroundWindow
EnableWindow
EnumWindows
USER32.DLL
ShellExecuteExA
SHELL32.DLL
CoInitialize
OLE32.DLL
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity
version="1.0.0.0"
processorArchitecture="X86"
name="CompanyName.ProductName.YourApp"
type="win32" />
<description></description>
<dependency>
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
processorArchitecture="X86"
publicKeyToken="6595b64144ccf1df"
language="*" />
</dependentAssembly>
</dependency>
</assembly>
11CK3R1Z@HR1Z@=
uR1ZS1[@H3CKAI@R1Z@H=
uAI3S1[CKR1Z@Q1YBJR1Z=
uQ1YQ1Y
R1ZAI0TS1[BJ0S1[(R1Z(
mAI0(CK0fR1Z
visuavisua
visua# Copyright (C) 2010-2015 Cuckoo Foundation, Optiv, Inc. (brad.spengler@optiv.com)
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
import os
import logging
import random
import subprocess
import platform
import urllib
import base64
from time import time
from ctypes import byref, c_ulong, create_string_buffer, c_int, sizeof
from shutil import copy
from lib.common.constants import PIPE, PATHS, SHUTDOWN_MUTEX, TERMINATE_EVENT, LOGSERVER_PREFIX
from lib.common.constants import CUCKOOMON32_NAME, CUCKOOMON64_NAME, LOADER32_NAME, LOADER64_NAME, CAWSMON32_NAME, CAWSMON64_NAME
from lib.common.defines import ULONG_PTR
from lib.common.defines import KERNEL32, NTDLL, SYSTEM_INFO, STILL_ACTIVE
from lib.common.defines import THREAD_ALL_ACCESS, PROCESS_ALL_ACCESS, TH32CS_SNAPPROCESS
from lib.common.defines import STARTUPINFO, PROCESS_INFORMATION, PROCESSENTRY32
from lib.common.defines import CREATE_NEW_CONSOLE, CREATE_SUSPENDED
from lib.common.defines import MEM_RESERVE, MEM_COMMIT, PAGE_READWRITE
from lib.common.defines import MEMORY_BASIC_INFORMATION
from lib.common.defines import WAIT_TIMEOUT, EVENT_MODIFY_STATE
from lib.common.defines import MEM_IMAGE, MEM_MAPPED, MEM_PRIVATE
from lib.common.defines import GENERIC_READ, GENERIC_WRITE, OPEN_EXISTING
from lib.common.errors import get_error_string
from lib.common.rand import random_string
from lib.common.results import NetlogFile
from lib.core.config import Config
from lib.core.log import LogServer
IOCTL_PID = 0x222008
IOCTL_CUCKOO_PATH = 0x22200C
PATH_KERNEL_DRIVER = "\\\\.\\DriverSSDT"
LOGSERVER_POOL = dict()
ATTEMPTED_APC_INJECTS = dict()
ATTEMPTED_THREAD_INJECTS = dict()
log = logging.getLogger(__name__)
def is_os_64bit():
return platform.machine().endswith('64')
def get_referrer_url(interest):
"""Get a Google referrer URL
@return: URL to be added to the analysis config
"""
if "://" not in interest:
return ""
escapedurl = urllib.quote(interest, '')
itemidx = str(random.randint(1, 30))
vedstr = "0CCEQfj" + base64.urlsafe_b64encode(random_string(random.randint(5, 8) * 3))
eistr = base64.urlsafe_b64encode(random_string(12))
usgstr = "AFQj" + base64.urlsafe_b64encode(random_string(12))
referrer = "http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd={0}&ved={1}&url={2}&ei={3}&usg={4}".format(itemidx, vedstr, escapedurl, eistr, usgstr)
return referrer
class Process:
"""Windows process."""
process_num = 0
# This adds 1 up to 30 times of 20 minutes to the startup
# time of the process, therefore bypassing anti-vm checks
# which check whether the VM has only been up for <10 minutes.
startup_time = random.randint(1, 30) * 20 * 60 * 1000
def __init__(self, pid=0, h_process=0, thread_id=0, h_thread=0, suspended=False):
"""@param pid: PID.
@param h_process: process handle.
@param thread_id: thread id.
@param h_thread: thread handle.
"""
self.pid = pid
self.h_process = h_process
self.thread_id = thread_id
self.h_thread = h_thread
self.suspended = suspended
self.system_info = SYSTEM_INFO()
self.critical = False
def __del__(self):
"""Close open handles."""
if self.h_process and self.h_process != KERNEL32.GetCurrentProcess():
KERNEL32.CloseHandle(self.h_process)
if self.h_thread:
KERNEL32.CloseHandle(self.h_thread)
def get_system_info(self):
"""Get system information."""
KERNEL32.GetSystemInfo(byref(self.system_info))
def open(self):
"""Open a process and/or thread.
@return: operation status.
"""
ret = bool(self.pid or self.thread_id)
if self.pid and not self.h_process:
if self.pid == os.getpid():
self.h_process = KERNEL32.GetCurrentProcess()
else:
self.h_process = KERNEL32.OpenProcess(PROCESS_ALL_ACCESS,
False,
self.pid)
ret = True
if self.thread_id and not self.h_thread:
self.h_thread = KERNEL32.OpenThread(THREAD_ALL_ACCESS,
False,
self.thread_id)
ret = True
return ret
def close(self):
"""Close any open handles.
@return: operation status.
"""
ret = bool(self.h_process or self.h_thread)
NT_SUCCESS = lambda val: val >= 0
if self.h_process:
ret = NT_SUCCESS(KERNEL32.CloseHandle(self.h_process))
self.h_process = None
if self.h_thread:
ret = NT_SUCCESS(KERNEL32.CloseHandle(self.h_thread))
self.h_thread = None
return ret
def exit_code(self):
"""Get process exit code.
@return: exit code value.
"""
if not self.h_process:
self.open()
exit_code = c_ulong(0)
KERNEL32.GetExitCodeProcess(self.h_process, byref(exit_code))
return exit_code.value
def get_filepath(self):
"""Get process image file path.
@return: decoded file path.
"""
if not self.h_process:
self.open()
NT_SUCCESS = lambda val: val >= 0
pbi = create_string_buffer(530)
size = c_int()
# Set return value to signed 32bit integer.
NTDLL.NtQueryInformationProcess.restype = c_int
ret = NTDLL.NtQueryInformationProcess(self.h_process,
27,
byref(pbi),
sizeof(pbi),
byref(size))
if NT_SUCCESS(ret) and size.value > 8:
try:
fbuf = pbi.raw[8:]
fbuf = fbuf[:fbuf.find('\0\0')+1]
return fbuf.decode('utf16', errors="ignore")
except:
return ""
return ""
def is_alive(self):
"""Process is alive?
@return: process status.
"""
return self.exit_code() == STILL_ACTIVE
def set_critical(self):
self.critical = True
def is_critical(self):
"""Determines if process is 'critical' or not, so we can prevent
terminating it
"""
if not self.h_process:
self.open()
if self.critical:
return True
NT_SUCCESS = lambda val: val >= 0
val = c_ulong(0)
retlen = c_ulong(0)
ret = NTDLL.NtQueryInformationProcess(self.h_process, 29, byref(val), sizeof(val), byref(retlen))
if NT_SUCCESS(ret) and val.value:
return True
return False
def get_parent_pid(self):
"""Get the Parent Process ID."""
if not self.h_process:
self.open()
NT_SUCCESS = lambda val: val >= 0
pbi = (ULONG_PTR * 6)()
size = c_ulong()
# Set return value to signed 32bit integer.
NTDLL.NtQueryInformationProcess.restype = c_int
ret = NTDLL.NtQueryInformationProcess(self.h_process,
0,
byref(pbi),
sizeof(pbi),
byref(size))
if NT_SUCCESS(ret) and size.value == sizeof(pbi):
return pbi[5]
return None
def kernel_analyze(self):
"""zer0m0n kernel analysis
"""
log.info("Starting kernel analysis")
log.info("Installing driver")
if is_os_64bit():
sys_file = os.path.join(os.getcwd(), "dll", "zer0m0n_x64.sys")
else:
sys_file = os.path.join(os.getcwd(), "dll", "zer0m0n.sys")
exe_file = os.path.join(os.getcwd(), "dll", "logs_dispatcher.exe")
if not sys_file or not exe_file or not os.path.exists(sys_file) or not os.path.exists(exe_file):
log.warning("No valid zer0m0n files to be used for process with pid %d, injection aborted", self.pid)
return False
exe_name = random_string(6)
service_name = random_string(6)
driver_name = random_string(6)
inf_data = '[Version]\r\nSignature = "$Windows NT$"\r\nClass = "ActivityMonitor"\r\nClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2}\r\nProvider= %Prov%\r\nDriverVer = 22/01/2014,1.0.0.0\r\nCatalogFile = %DriverName%.cat\r\n[DestinationDirs]\r\nDefaultDestDir = 12\r\nMiniFilter.DriverFiles = 12\r\n[DefaultInstall]\r\nOptionDesc = %ServiceDescription%\r\nCopyFiles = MiniFilter.DriverFiles\r\n[DefaultInstall.Services]\r\nAddService = %ServiceName%,,MiniFilter.Service\r\n[DefaultUninstall]\r\nDelFiles = MiniFilter.DriverFiles\r\n[DefaultUninstall.Services]\r\nDelService = %ServiceName%,0x200\r\n[MiniFilter.Service]\r\nDisplayName= %ServiceName%\r\nDescription= %ServiceDescription%\r\nServiceBinary= %12%\\%DriverName%.sys\r\nDependencies = "FltMgr"\r\nServiceType = 2\r\nStartType = 3\r\nErrorControl = 1\r\nLoadOrderGroup = "FSFilter Activity Monitor"\r\nAddReg = MiniFilter.AddRegistry\r\n[MiniFilter.AddRegistry]\r\nHKR,,"DebugFlags",0x00010001 ,0x0\r\nHKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance%\r\nHKR,"Instances\\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude%\r\nHKR,"Instances\\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags%\r\n[MiniFilter.DriverFiles]\r\n%DriverName%.sys\r\n[SourceDisksFiles]\r\n'+driver_name+'.sys = 1,,\r\n[SourceDisksNames]\r\n1 = %DiskId1%,,,\r\n[Strings]\r\n'+'Prov = "'+random_string(8)+'"\r\nServiceDescription = "'+random_string(12)+'"\r\nServiceName = "'+service_name+'"\r\nDriverName = "'+driver_name+'"\r\nDiskId1 = "'+service_name+' Device Installation Disk"\r\nDefaultInstance = "'+service_name+' Instance"\r\nInstance1.Name = "'+service_name+' Instance"\r\nInstance1.Altitude = "370050"\r\nInstance1.Flags = 0x0'
new_inf = os.path.join(os.getcwd(), "dll", "{0}.inf".format(service_name))
new_sys = os.path.join(os.getcwd(), "dll", "{0}.sys".format(driver_name))
copy(sys_file, new_sys)
new_exe = os.path.join(os.getcwd(), "dll", "{0}.exe".format(exe_name))
copy(exe_file, new_exe)
log.info("[-] Driver name : "+new_sys)
log.info("[-] Inf name : "+new_inf)
log.info("[-] Application name : "+new_exe)
log.info("[-] Service : "+service_name)
fh = open(new_inf,"w")
fh.write(inf_data)
fh.close()
os_is_64bit = is_os_64bit()
if os_is_64bit:
wow64 = c_ulong(0)
KERNEL32.Wow64DisableWow64FsRedirection(byref(wow64))
os.system('cmd /c "rundll32 setupapi.dll, InstallHinfSection DefaultInstall 132 '+new_inf+'"')
os.system("net start "+service_name)
si = STARTUPINFO()
si.cb = sizeof(si)
pi = PROCESS_INFORMATION()
cr = CREATE_NEW_CONSOLE
ldp = KERNEL32.CreateProcessA(new_exe, None, None, None, None, cr, None, os.getenv("TEMP"), byref(si), byref(pi))
if not ldp:
if os_is_64bit:
KERNEL32.Wow64RevertWow64FsRedirection(wow64)
log.error("Failed starting "+exe_name+".exe.")
return False
config_path = os.path.join(os.getenv("TEMP"), "%s.ini" % self.pid)
with open(config_path, "w") as config:
cfg = Config("analysis.conf")
config.write("host-ip={0}\n".format(cfg.ip))
config.write("host-port={0}\n".format(cfg.port))
config.write("pipe={0}\n".format(PIPE))
log.info("Sending startup information")
hFile = KERNEL32.CreateFileA(PATH_KERNEL_DRIVER, GENERIC_READ|GENERIC_WRITE,
0, None, OPEN_EXISTING, 0, None)
if os_is_64bit:
KERNEL32.Wow64RevertWow64FsRedirection(wow64)
if hFile:
p = Process(pid=os.getpid())
ppid = p.get_parent_pid()
pid_vboxservice = 0
pid_vboxtray = 0
# get pid of VBoxService.exe and VBoxTray.exe
proc_info = PROCESSENTRY32()
proc_info.dwSize = sizeof(PROCESSENTRY32)
snapshot = KERNEL32.CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
flag = KERNEL32.Process32First(snapshot, byref(proc_info))
while flag:
if proc_info.sz_exeFile == "VBoxService.exe":
log.info("VBoxService.exe found !")
pid_vboxservice = proc_info.th32ProcessID
flag = 0
elif proc_info.sz_exeFile == "VBoxTray.exe":
pid_vboxtray = proc_info.th32ProcessID
log.info("VBoxTray.exe found !")
flag = 0
flag = KERNEL32.Process32Next(snapshot, byref(proc_info))
bytes_returned = c_ulong(0)
msg = str(self.pid)+"_"+str(ppid)+"_"+str(os.getpid())+"_"+str(pi.dwProcessId)+"_"+str(pid_vboxservice)+"_"+str(pid_vboxtray)+'\0'
KERNEL32.DeviceIoControl(hFile, IOCTL_PID, msg, len(msg), None, 0, byref(bytes_returned), None)
msg = os.getcwd()+'\0'
KERNEL32.DeviceIoControl(hFile, IOCTL_CUCKOO_PATH, unicode(msg), len(unicode(msg)), None, 0, byref(bytes_returned), None)
else:
log.warning("Failed to access kernel driver")
return True
def execute(self, path, args=None, suspended=False, kernel_analysis=False):
"""Execute sample process.
@param path: sample path.
@param args: process args.
@param suspended: is suspended.
@return: operation status.
"""
if not os.access(path, os.X_OK):
log.error("Unable to access file at path \"%s\", "
"execution aborted", path)
return False
startup_info = STARTUPINFO()
startup_info.cb = sizeof(startup_info)
# STARTF_USESHOWWINDOW
startup_info.dwFlags = 1
# SW_SHOWNORMAL
startup_info.wShowWindow = 1
process_info = PROCESS_INFORMATION()
arguments = "\"" + path + "\" "
if args:
arguments += args
creation_flags = CREATE_NEW_CONSOLE
if suspended:
self.suspended = True
creation_flags += CREATE_SUSPENDED
created = KERNEL32.CreateProcessA(path,
arguments,
None,
None,
None,
creation_flags,
None,
os.getenv("TEMP"),
byref(startup_info),
byref(process_info))
if created:
self.pid = process_info.dwProcessId
self.h_process = process_info.hProcess
self.thread_id = process_info.dwThreadId
self.h_thread = process_info.hThread
log.info("Successfully executed process from path \"%s\" with "
"arguments \"%s\" with pid %d", path, args or "", self.pid)
if kernel_analysis:
return self.kernel_analyze()
return True
else:
log.error("Failed to execute process from path \"%s\" with "
"arguments \"%s\" (Error: %s)", path, args,
get_error_string(KERNEL32.GetLastError()))
return False
def resume(self):
"""Resume a suspended thread.
@return: operation status.
"""
if not self.suspended:
log.warning("The process with pid %d was not suspended at creation"
% self.pid)
return False
if not self.h_thread:
return False
KERNEL32.Sleep(2000)
if KERNEL32.ResumeThread(self.h_thread) != -1:
self.suspended = False
log.info("Successfully resumed process with pid %d", self.pid)
return True
else:
log.error("Failed to resume process with pid %d", self.pid)
return False
def set_terminate_event(self):
"""Sets the termination event for the process.
"""
if self.h_process == 0:
self.open()
event_name = TERMINATE_EVENT + str(self.pid)
event_handle = KERNEL32.OpenEventA(EVENT_MODIFY_STATE, False, event_name)
if event_handle:
# make sure process is aware of the termination
KERNEL32.SetEvent(event_handle)
KERNEL32.CloseHandle(event_handle)
KERNEL32.Sleep(500)
def terminate(self):
"""Terminate process.
@return: operation status.
"""
if self.h_process == 0:
self.open()
if KERNEL32.TerminateProcess(self.h_process, 1):
log.info("Successfully terminated process with pid %d.", self.pid)
return True
else:
log.error("Failed to terminate process with pid %d.", self.pid)
return False
def is_64bit(self):
"""Determines if a process is 64bit.
@return: True if 64bit, False if not
"""
if self.h_process == 0:
self.open()
try:
val = c_int(0)
ret = KERNEL32.IsWow64Process(self.h_process, byref(val))
if ret and not val.value and is_os_64bit():
return True
except:
pass
return False
def old_inject(self, dll, apc):
arg = KERNEL32.VirtualAllocEx(self.h_process,
None,
len(dll) + 1,
MEM_RESERVE | MEM_COMMIT,
PAGE_READWRITE)
if not arg:
log.error("VirtualAllocEx failed when injecting process with "
"pid %d, injection aborted (Error: %s)",
self.pid, get_error_string(KERNEL32.GetLastError()))
return False
bytes_written = c_int(0)
if not KERNEL32.WriteProcessMemory(self.h_process,
arg,
dll + "\x00",
len(dll) + 1,
byref(bytes_written)):
log.error("WriteProcessMemory failed when injecting process with "
"pid %d, injection aborted (Error: %s)",
self.pid, get_error_string(KERNEL32.GetLastError()))
return False
kernel32_handle = KERNEL32.GetModuleHandleA("kernel32.dll")
load_library = KERNEL32.GetProcAddress(kernel32_handle, "LoadLibraryA")
if apc or self.suspended:
if not self.h_thread:
log.info("No valid thread handle specified for injecting "
"process with pid %d, injection aborted.", self.pid)
return False
if not KERNEL32.QueueUserAPC(load_library, self.h_thread, arg):
log.error("QueueUserAPC failed when injecting process with "
"pid %d (Error: %s)",
self.pid, get_error_string(KERNEL32.GetLastError()))
return False
else:
new_thread_id = c_ulong(0)
thread_handle = KERNEL32.CreateRemoteThread(self.h_process,
None,
0,
load_library,
arg,
0,
byref(new_thread_id))
if not thread_handle:
log.error("CreateRemoteThread failed when injecting process "
"with pid %d (Error: %s)",
self.pid, get_error_string(KERNEL32.GetLastError()))
return False
else:
KERNEL32.CloseHandle(thread_handle)
return True
def check_inject(self):
if not self.pid:
return False
if self.thread_id or self.suspended:
if (self.pid, self.thread_id) in ATTEMPTED_APC_INJECTS:
return False
ATTEMPTED_APC_INJECTS[(self.pid, self.thread_id)] = True
else:
if self.pid in ATTEMPTED_THREAD_INJECTS:
return False
ATTEMPTED_THREAD_INJECTS[self.pid] = True
return True
def inject(self, dll=None, interest=None, nosleepskip=False):
"""Cuckoo DLL injection.
@param dll: Cuckoo DLL path.
@param interest: path to file of interest, handed to cuckoomon config
@param apc: APC use.
"""
global LOGSERVER_POOL
if not self.pid:
return False
thread_id = 0
if self.thread_id:
thread_id = self.thread_id
if not self.is_alive():
log.warning("The process with pid %s is not alive, "
"injection aborted", self.pid)
return False
is_64bit = self.is_64bit()
if not dll:
if is_64bit:
dll = CUCKOOMON64_NAME
else:
dll = CUCKOOMON32_NAME
elif dll == "cawsmon":
if is_64bit:
dll = CAWSMON64_NAME
else:
dll = CAWSMON32_NAME
else:
os.path.join("dll", dll)
dll = os.path.join(os.getcwd(), dll)
if not dll or not os.path.exists(dll):
log.warning("No valid DLL specified to be injected in process "
"with pid %d, injection aborted.", self.pid)
return False
if thread_id or self.suspended:
log.debug("Using QueueUserAPC injection.")
else:
log.debug("Using CreateRemoteThread injection.")
config_path = "C:\\%s.ini" % self.pid
with open(config_path, "w") as config:
cfg = Config("analysis.conf")
cfgoptions = cfg.get_options()
# start the logserver for this monitored process
logserver_path = LOGSERVER_PREFIX + str(self.pid)
if logserver_path not in LOGSERVER_POOL:
LOGSERVER_POOL[logserver_path] = LogServer(cfg.ip, cfg.port, logserver_path)
Process.process_num += 1
firstproc = Process.process_num == 1
config.write("host-ip={0}\n".format(cfg.ip))
config.write("host-port={0}\n".format(cfg.port))
config.write("pipe={0}\n".format(PIPE))
config.write("logserver={0}\n".format(logserver_path))
config.write("results={0}\n".format(PATHS["root"]))
config.write("analyzer={0}\n".format(os.getcwd()))
config.write("first-process={0}\n".format("1" if firstproc else "0"))
config.write("startup-time={0}\n".format(Process.startup_time))
config.write("file-of-interest={0}\n".format(interest))
config.write("shutdown-mutex={0}\n".format(SHUTDOWN_MUTEX))
config.write("terminate-event={0}{1}\n".format(TERMINATE_EVENT, self.pid))
if nosleepskip or ("force-sleepskip" not in cfgoptions and len(interest) > 2 and interest[1] != ':' and interest[0] != '\\' and Process.process_num <= 2):
config.write("force-sleepskip=0\n")
if "norefer" not in cfgoptions and "referrer" not in cfgoptions:
config.write("referrer={0}\n".format(get_referrer_url(interest)))
simple_optnames = [
"force-sleepskip",
"full-logs",
"force-flush",
"no-stealth",
"buffer-max",
"large-buffer-max",
"serial",
"sysvol_ctimelow",
"sysvol_ctimehigh",
"sys32_ctimelow",
"sys32_ctimehigh",
"debug",
"disable_hook_content",
"hook-type",
"exclude-apis",
"exclude-dlls",
"referrer",
]
for optname in simple_optnames:
if optname in cfgoptions:
config.write("{0}={1}\n".format(optname, cfgoptions[optname]))
orig_bin_name = ""
bit_str = ""
if is_64bit:
orig_bin_name = LOADER64_NAME
bit_str = "64-bit"
else:
orig_bin_name = LOADER32_NAME
bit_str = "32-bit"
bin_name = os.path.join(os.getcwd(), orig_bin_name)
if os.path.exists(bin_name):
ret = subprocess.call([bin_name, "inject", str(self.pid), str(thread_id), dll])
if ret != 0:
if ret == 1:
log.info("Injected into suspended %s process with pid %d", bit_str, self.pid)
else:
log.error("Unable to inject into %s process with pid %d, error: %d", bit_str, self.pid, ret)
return False
else:
return True
else:
log.error("Please place the %s binary from cuckoomon into analyzer/windows/bin in order to analyze %s binaries.", os.path.basename(bin_name), bit_str)
return False
def dump_memory(self):
"""Dump process memory.
@return: operation status.
"""
if not self.pid:
log.warning("No valid pid specified, memory dump aborted")
return False
if not self.is_alive():
log.warning("The process with pid %d is not alive, memory "
"dump aborted", self.pid)
return False
bin_name = ""
bit_str = ""
file_path = os.path.join(PATHS["memory"], "{0}.dmp".format(self.pid))
if self.is_64bit():
orig_bin_name = LOADER64_NAME
bit_str = "64-bit"
else:
orig_bin_name = LOADER32_NAME
bit_str = "32-bit"
bin_name = os.path.join(os.getcwd(), orig_bin_name)
if os.path.exists(bin_name):
ret = subprocess.call([bin_name, "dump", str(self.pid), file_path])
if ret == 1:
log.info("Dumped %s process with pid %d", bit_str, self.pid)
else:
log.error("Unable to dump %s process with pid %d, error: %d", bit_str, self.pid, ret)
return False
else:
log.error("Please place the %s binary from cuckoomon into analyzer/windows/bin in order to analyze %s binaries.", os.path.basename(bin_name), bit_str)
return False
nf = NetlogFile(os.path.join("memory", "{0}.dmp".format(self.pid)))
infd = open(file_path, "rb")
buf = infd.read(1024*1024)
try:
while buf:
nf.send(buf, retry=True)
buf = infd.read(1024*1024)
except:
infd.close()
nf.close()
log.warning("Memory dump of process with pid %d failed", self.pid)
return False
infd.close()
nf.close()
log.info("Memory dump of process with pid %d completed", self.pid)
return True
visuaMZ
L!This program cannot be run in DOS mode.
`.rsrc
@.reloc
C+Cdu^
[p/KZ dFBmI
} Ysy
st
c st
@st
c @st
l#333333?[k
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADPHjbb
Color Picker
Custom
System
Alignment Picker
Bottom Center
Bottom Left
Bottom Right
Middle Center
Middle Left
Middle Right
Top Center
Top Left
Top Right
'The assembly '{0}' could not be loaded.
uThe toolbox item could not be retrieved from the toolbox. Try removing the item from the toolbox and adding it back.
The toolbox item could not be retrieved from the toolbox. Make sure the assembly that contains the toolbox item is correctly installed. The toolbox item raised the following error: {0}
Bitmap files
Icon files
All image files
Metafiles
v2.0.50727
#Strings
<Module>
System.Drawing.Design.dll
SRDescriptionAttribute
System.Drawing.Design
SRCategoryAttribute
ExternDll
System
ImageEditor
BitmapEditor
ColorEditor
ColorPalette
ColorPaletteAccessibleObject
ColorCellAccessibleObject
ColorUI
ColorEditorListBox
ColorEditorTabControl
CustomColorDialog
SystemColorComparer
StandardColorComparer
ContentAlignmentEditor
ContentUI
CursorEditor
CursorUI
DesignerToolboxInfo
FontEditor
FontNameEditor
IconEditor
MetafileEditor
NativeMethods
ToolboxService
DomainProxyObject
FilterSupport
ToolboxItemCreator
ToolboxItemContainer
BrokenToolboxItem
ToolboxItemSerializer
ToolboxSerializationBinder
UnsafeNativeMethods
System.ComponentModel
DescriptionAttribute
CategoryAttribute
mscorlib
Object
System.Drawing
UITypeEditor
System.Windows.Forms
Control
ControlAccessibleObject
AccessibleObject
ListBox
TabControl
ColorDialog
System.Collections
IComparer
IDisposable
IToolboxService
System.ComponentModel.Design
IComponentDiscoveryService
MarshalByRefObject
System.Runtime.Serialization
ISerializable
ToolboxItem
SerializationBinder
replaced
get_Description
Description
GetLocalizedString
imageFileDescription
ColorEditorSystemTab
ColorEditorStandardTab
bitmapFileDescription
ColorEditorPaletteTab
iconFileDescription
metafileFileDescription
ContentAlignmentEditorAccName
ContentAlignmentEditorTopLeftAccName
ContentAlignmentEditorTopCenterAccName
ContentAlignmentEditorTopRightAccName
ContentAlignmentEditorMiddleLeftAccName
ContentAlignmentEditorMiddleCenterAccName
ContentAlignmentEditorMiddleRightAccName
ContentAlignmentEditorBottomLeftAccName
ContentAlignmentEditorBottomCenterAccName
ContentAlignmentEditorBottomRightAccName
ColorEditorAccName
ToolboxServiceBadToolboxItem
ToolboxServiceBadToolboxItemWithException
ToolboxServiceAssemblyNotFound
loader
System.Resources
ResourceManager
resources
s_InternalSyncObject
get_InternalSyncObject
GetLoader
System.Globalization
CultureInfo
get_Culture
get_Resources
GetString
GetObject
InternalSyncObject
Culture
Resources
Activeds
Advapi32
Comctl32
Comdlg32
Gdiplus
Hhctrl
Kernel32
Loadperf
Mscoree
Mscorwks
Oleacc
Oleaut32
Olepro32
PerfCounter
Powrprof
Shell32
Shfolder
User32
Uxtheme
Winspool
Wtsapi32
Version
Vsassert
Shlwapi
Crypt32
Odbc32
OciDll
OraMtsDll
imageExtenders
FileDialog
fileDialog
GetImageExtenders
CreateExtensionsString
CreateFilterEntry
ITypeDescriptorContext
IServiceProvider
EditValue
UITypeEditorEditStyle
GetEditStyle
GetFileDialogDescription
GetExtensions
GetPaintValueSupported
System.IO
Stream
LoadFromStream
PaintValueEventArgs
PaintValue
colorUI
CELLS_ACROSS
CELLS_DOWN
CELLS_CUSTOM
CELL_SIZE
MARGIN
staticCells
staticColors
selectedColor
customColors
EventHandler
onPicked
get_CustomColors
get_FocusedCell
get_SelectedColor
set_SelectedColor
add_Picked
remove_Picked
CreateAccessibilityInstance
EventArgs
OnPicked
Rectangle
FillRectWithCellBounds
GetCellFromColor
GetColorFromCell
GetCell2DFromLocationMouse
GetCellFromLocationMouse
Get1DFrom2D
Get2DFrom1D
InvalidateSelection
InvalidateFocus
IsInputKey
LaunchDialog
OnGotFocus
KeyEventArgs
OnKeyDown
OnLostFocus
MouseEventArgs
OnMouseDown
OnMouseMove
OnMouseUp
PaintEventArgs
OnPaint
Graphics
ProcessDialogKey
SetFocus
CustomColors
FocusedCell
SelectedColor
Picked
get_ColorPalette
GetChildCount
GetChild
HitTest
parent
get_Bounds
get_Name
get_Parent
AccessibleRole
get_Role
AccessibleStates
get_State
get_Value
Bounds
Parent
editor
System.Windows.Forms.Design
IWindowsFormsEditorService
tabControl
TabPage
systemTabPage
commonTabPage
paletteTabPage
lbSystem
lbCommon
systemColorConstants
colorConstants
commonHeightSet
systemHeightSet
get_ColorValues
set_CustomColors
get_EditorService
get_SystemColorValues
AdjustColorUIHeight
AdjustListBoxItemHeight
GetBestColor
GetConstants
InitializeComponent
OnFontChanged
OnListClick
DrawItemEventArgs
OnListDrawItem
OnListKeyDown
OnPalettePick
OnTabControlResize
OnTabControlSelChange
ColorValues
EditorService
SystemColorValues
COLOR_HUE
COLOR_SAT
COLOR_LUM
COLOR_RED
COLOR_GREEN
COLOR_BLUE
COLOR_ADD
COLOR_MIX
hInstance
get_Instance
get_Options
Dispose
HookProc
Instance
Options
Compare
contentUI
RadioButton
topLeft
topCenter
topRight
middleLeft
middleCenter
middleRight
bottomLeft
bottomCenter
bottomRight
ContentAlignment
get_Align
set_Align
get_ShowFocusCues
InitComponent
OptionClick
get_CheckedControl
set_CheckedControl
ShowFocusCues
CheckedControl
cursorUI
get_IsDropDownResizable
IsDropDownResizable
TypeConverter
cursorConverter
OnClick
OnDrawItem
_toolboxService
IDesignerHost
ISelectionService
_selectionService
ArrayList
_filter
IDesigner
_filterDesigner
IToolboxUser
_toolboxUser
Hashtable
_attributeHash
get_DesignerHost
ICollection
get_Filter
get_ToolboxUser
RefreshEventArgs
OnTypeDescriptorRefresh
AttributeCollection
GetDesignerAttributes
RecurseDesignerTree
OnDesignerDisposed
OnSelectionChanged
Update
System.IDisposable.Dispose
DesignerHost
Filter
ToolboxUser
FontDialog
fontDialog
FontFamily
FontStyle
DrawFontSample
EM_GETSEL
EM_SETSEL
EM_GETRECT
EM_SETRECT
EM_SETRECTNP
EM_SCROLL
EM_LINESCROLL
EM_SCROLLCARET
EM_GETMODIFY
EM_SETMODIFY
EM_GETLINECOUNT
EM_LINEINDEX
EM_SETHANDLE
EM_GETHANDLE
EM_GETTHUMB
EM_LINELENGTH
EM_REPLACESEL
EM_GETLINE
EM_LIMITTEXT
EM_CANUNDO
EM_UNDO
EM_FMTLINES
EM_LINEFROMCHAR
EM_SETTABSTOPS
EM_SETPASSWORDCHAR
EM_EMPTYUNDOBUFFER
EM_GETFIRSTVISIBLELINE
EM_SETREADONLY
EM_SETWORDBREAKPROC
EM_GETWORDBREAKPROC
EM_GETPASSWORDCHAR
EM_SETMARGINS
EM_GETMARGINS
EM_SETLIMITTEXT
EM_GETLIMITTEXT
EM_POSFROMCHAR
EM_CHARFROMPOS
EC_LEFTMARGIN
EC_RIGHTMARGIN
EC_USEFONTINFO
IDCANCEL
IDABORT
IDRETRY
IDIGNORE
IDCLOSE
IDHELP
WM_INITDIALOG
SWP_NOSIZE
SWP_NOMOVE
SWP_NOZORDER
SWP_NOREDRAW
SWP_NOACTIVATE
SWP_FRAMECHANGED
SWP_SHOWWINDOW
SWP_HIDEWINDOW
SWP_NOCOPYBITS
SWP_NOOWNERZORDER
SWP_NOSENDCHANGING
SWP_DRAWFRAME
SWP_NOREPOSITION
SWP_DEFERERASE
SWP_ASYNCWINDOWPOS
WM_COMMAND
CC_FULLOPEN
CC_PREVENTFULLOPEN
CC_SHOWHELP
CC_ENABLEHOOK
CC_ENABLETEMPLATE
CC_ENABLETEMPLATEHANDLE
CC_SOLIDCOLOR
CC_ANYCOLOR
InvalidIntPtr
SendDlgItemMessage
GetDlgItem
EnableWindow
SetWindowPos
GetDlgItemInt
PostMessage
MAKELONG
MAKELPARAM
HIWORD
LOWORD
SignedHIWORD
SignedLOWORD
lstrlen
RegisterWindowMessage
IDesignerEventService
_designerEventService
_globalCreators
_designerCreators
_lastMergedHost
_lastMergedCreators
_lastState
_domainObject
AppDomain
_domain
System.Runtime.Remoting.Lifetime
ClientSponsor
_domainObjectSponsor
CategoryNameCollection
get_CategoryNames
get_SelectedCategory
set_SelectedCategory
get_SelectedItemContainer
set_SelectedItemContainer
CreateItemContainer
IDataObject
FilterChanged
GetCreatorCollection
GetFilterSupport
GetItemContainers
GetToolboxItem
System.Reflection
Assembly
GetToolboxItems
AssemblyName
IsItemContainer
IsItemContainerSupported
OnDesignerInfoChanged
Refresh
SelectedItemContainerUsed
SetCursor
UnloadToolboxItems
System.Drawing.Design.IToolboxService.get_CategoryNames
System.Drawing.Design.IToolboxService.get_SelectedCategory
System.Drawing.Design.IToolboxService.set_SelectedCategory
ToolboxItemCreatorCallback
System.Drawing.Design.IToolboxService.AddCreator
AddCreator
System.Drawing.Design.IToolboxService.AddLinkedToolboxItem
AddLinkedToolboxItem
System.Drawing.Design.IToolboxService.AddToolboxItem
AddToolboxItem
System.Drawing.Design.IToolboxService.DeserializeToolboxItem
DeserializeToolboxItem
System.Drawing.Design.IToolboxService.GetSelectedToolboxItem
GetSelectedToolboxItem
ToolboxItemCollection
System.Drawing.Design.IToolboxService.GetToolboxItems
System.Drawing.Design.IToolboxService.IsSupported
IsSupported
System.Drawing.Design.IToolboxService.IsToolboxItem
IsToolboxItem
System.Drawing.Design.IToolboxService.Refresh
System.Drawing.Design.IToolboxService.RemoveCreator
RemoveCreator
System.Drawing.Design.IToolboxService.RemoveToolboxItem
RemoveToolboxItem
System.Drawing.Design.IToolboxService.SelectedToolboxItemUsed
SelectedToolboxItemUsed
System.Drawing.Design.IToolboxService.SerializeToolboxItem
SerializeToolboxItem
System.Drawing.Design.IToolboxService.SetCursor
System.Drawing.Design.IToolboxService.SetSelectedToolboxItem
SetSelectedToolboxItem
System.ComponentModel.Design.IComponentDiscoveryService.GetComponentTypes
GetComponentTypes
CategoryNames
SelectedCategory
SelectedItemContainer
System.Drawing.Design.IToolboxService.CategoryNames
System.Drawing.Design.IToolboxService.SelectedCategory
value__
NotSupported
Supported
Custom
_callback
_format
Create
get_Format
Format
_localClipboardFormat
_itemClipboardFormat
_hashClipboardFormat
_serializationFormats
_serializationValues
_clipboardVersion
_hashCode
_toolboxItem
_dataObject
SerializationInfo
StreamingContext
get_IsCreated
get_IsTransient
get_ToolboxData
UpdateFilter
ContainsFormat
Equals
GetFilter
GetHashCode
GetObjectData
MergeFilter
System.Runtime.Serialization.ISerializable.GetObjectData
IsCreated
IsTransient
ToolboxData
_exceptionString
IComponent
CreateComponentsCore
_assemblyNameKey
_streamKey
System.Runtime.Serialization.Formatters.Binary
BinaryFormatter
_formatter
get_ToolboxItem
_assemblies
_namePart
BindToType
OBJID_CLIENT
System.Runtime.InteropServices
HandleRef
ClientToScreen
ScreenToClient
GetFocus
NotifyWinEvent
System.Runtime.CompilerServices
RuntimeCompatibilityAttribute
AssemblyKeyFileAttribute
AssemblyDelaySignAttribute
NeutralResourcesLanguageAttribute
SatelliteContractVersionAttribute
AssemblyInformationalVersionAttribute
AssemblyFileVersionAttribute
AssemblyVersionAttribute
AssemblyCopyrightAttribute
AssemblyProductAttribute
AssemblyCompanyAttribute
AssemblyDefaultAliasAttribute
AssemblyDescriptionAttribute
AssemblyTitleAttribute
CLSCompliantAttribute
ComVisibleAttribute
System.Diagnostics
DebuggableAttribute
DebuggingModes
CompilationRelaxationsAttribute
AttributeUsageAttribute
AttributeTargets
description
set_DescriptionValue
category
System.Threading
Interlocked
CompareExchange
GetType
get_Assembly
Monitor
ParamArrayAttribute
String
get_Length
Substring
Concat
get_CurrentCulture
IFormatProvider
System.Security.Permissions
SecurityPermissionAttribute
SecurityAction
extensions
context
provider
RuntimeTypeHandle
GetTypeFromHandle
GetService
OpenFileDialog
Activator
BindingFlags
Binder
CreateInstance
IsInstanceOfType
set_Filter
CommonDialog
DialogResult
ShowDialog
get_FileName
FileStream
FileMode
FileAccess
FileShare
IntPtr
op_Inequality
AddRange
ToArray
stream
MemoryStream
FromStream
get_Width
set_Width
get_Height
set_Height
get_Graphics
SystemPens
get_WindowFrame
DrawRectangle
DrawImage
.cctor
PermissionSetAttribute
Bitmap
DropDownControl
SolidBrush
FillRectangle
ControlStyles
SetStyle
SystemColors
get_Control
set_BackColor
set_Size
ColorTranslator
FromOle
Delegate
Combine
Remove
Invoke
across
Inflate
Invalidate
get_Handle
keyData
customIndex
CloseDropDown
get_Color
Component
get_KeyCode
MouseButtons
get_Button
Contains
get_BackColor
get_ClientRectangle
get_ControlText
ControlPaint
ButtonBorderStyle
DrawBorder
get_Focused
DrawFocusRectangle
newFocus
<PrivateImplementationDetails>{89757899-423F-490E-B04A-72754CC2C429}
CompilerGeneratedAttribute
ValueType
__StaticArrayInitTypeSize=192
$$method0x600011b-1
RuntimeHelpers
RuntimeFieldHandle
InitializeArray
get_Owner
ToString
get_White
get_Size
GetTabRect
get_Font
set_ItemHeight
ToArgb
enumType
PropertyInfo
GetProperties
get_PropertyType
MethodInfo
GetGetMethod
MethodBase
MethodAttributes
get_Attributes
GetValue
set_AccessibleName
TabPageCollection
get_TabPages
set_TabStop
set_SelectedTab
add_SelectedIndexChanged
DockStyle
set_Dock
add_Resize
DrawMode
set_DrawMode
BorderStyle
set_BorderStyle
set_IntegralHeight
set_Sorted
add_Click
DrawItemEventHandler
add_DrawItem
KeyEventHandler
add_KeyDown
add_FontChanged
ObjectCollection
get_Items
ControlCollection
get_Controls
sender
get_SelectedItem
get_Index
get_Item
DrawBackground
get_WindowText
get_ForeColor
DrawString
SetBounds
set_Bounds
set_Location
get_SelectedTab
System.Windows.Forms.Layout
ArrangedElementCollection
get_Count
get_SelectedIndex
set_SelectedItem
ListControl
Module
get_Module
GetManifestResourceStream
get_Position
Marshal
AllocHGlobal
disposing
FreeHGlobal
wParam
lParam
op_Explicit
set_Color
Boolean
FromArgb
get_InvariantCulture
GetHue
GetSaturation
GetBrightness
get_Checked
set_Checked
set_ForeColor
set_TabIndex
set_Text
Appearance
set_Appearance
AnchorStyles
set_Anchor
get_TabIndex
get_IsHandleCreated
Cursors
Cursor
get_Default
TypeDescriptor
GetConverter
GetStandardValuesSupported
GetStandardValues
IEnumerable
IEnumerator
GetEnumerator
get_Current
MoveNext
ConvertToString
SystemBrushes
DrawStretched
set_SelectedIndex
toolboxService
add_SelectionChanged
get_RootComponent
add_Disposed
RefreshEventHandler
add_Refreshed
get_ComponentChanged
designer
ArgumentNullException
ITreeDesigner
GetDesigner
get_Values
Attribute
CopyTo
GetAttributes
get_TypeId
set_Item
IServiceContainer
RemoveService
get_PrimarySelection
ToolboxItemFilterAttribute
ToolboxItemFilterType
get_FilterType
remove_SelectionChanged
remove_Disposed
remove_Refreshed
set_ShowApply
set_ShowColor
set_AllowVerticalFonts
set_Font
op_Equality
get_ActiveCaption
get_Right
get_Bottom
DrawLine
fontFamily
fontStyle
GraphicsUnit
get_ActiveCaptionText
RectangleF
op_Implicit
DrawIcon
System.Drawing.Imaging
Metafile
DllImportAttribute
user32.dll
nIDDlgItem
enable
hWndInsertAfter
signed
wparam
lparam
kernel32.dll
StructLayoutAttribute
LayoutKind
dataObject
itemFilter
targetFilter
get_FilterString
categoryName
toolType
nonPublic
get_IsPublic
get_IsNestedPublic
IsAssignableFrom
get_IsAbstract
ToolboxItemAttribute
IsDefaultAttribute
get_ToolboxItemType
ConstructorInfo
GetConstructor
Initialize
get_ContainsGenericParameters
newCodeBase
throwOnError
get_GlobalAssemblyCache
GetName
set_CodeBase
GetTypes
IContainer
set_AssemblyName
CreateDomain
get_FullName
CreateInstanceAndUnwrap
TimeSpan
Register
Deserialize
GetDataPresent
container
AddService
GetToolSupported
get_ActiveDesigner
get_Cross
set_Current
Unload
creator
format
toolboxItem
serializedObject
DataObject
filterAttributes
RemoveAt
designerHost
baseType
ReadOnlyCollectionBase
get_CodeBase
get_LocalPath
LoadFrom
ArgumentException
ReflectionTypeLoadException
Exception
get_LoaderExceptions
get_Message
Serialize
GetBuffer
FileNotFoundException
BadImageFormatException
IOException
callback
SerializableAttribute
SetData
get_DisplayName
get_AssemblyName
get_TypeName
BinaryWriter
creators
GetData
BinaryReader
ReadInt16
ReadString
GetFormats
AddValue
exceptionString
InvalidOperationException
get_Binder
set_Binder
assemblyName
typeName
StartsWith
Exists
System.Security
SuppressUnmanagedCodeSecurityAttribute
InAttribute
OutAttribute
winEvent
objType
System.Drawing.Design.SR.resources
System.Drawing.Design.colordlg.data
IJruL)
(]b,e,
=t]o-~^
System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Security.Permissions.SecurityPermissionFlag, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Security.Permissions.PermissionSetAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
FullTrust
System.Security.Permissions.PermissionSetAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
FullTrust
System.Security.Permissions.PermissionSetAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
FullTrust
System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Security.Permissions.SecurityPermissionFlag, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
WrapNonExceptionThrows
*f:\RedBits\Tools\devdiv\FinalPublicKey.snk
2.0.0.0
2.0.50727.1433
Microsoft Corporation. All rights reserved.
Microsoft
.NET Framework
Microsoft Corporation
System.Drawing.Design.dll
RSDS7=
`BKkfz
System.Drawing.Design.pdb
_CorDllMain
mscoree.dll
visuaMZ
L!This program cannot be run in DOS mode.
BBB^BhB^BgBC
B[BDB_BRichB
`.data
@.reloc
TypeLib
Software
SYSTEM
SECURITY
Hardware
Interface
FileType
Component Categories
PDelete
NoRemove
ForceRemove
P P- P1P2Pb3PE4PW4P4P>!P92P P
!PHKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
FUnRegisterTypeLib
oleaut32.dll
vsansi.dll
Yvsansi.dll
SOFTWARE\Microsoft\VSAnsi
JFPNFP,
\\cpvsbuild\drops\ofc10.0\raw\9122\vsbuilt\retail\bin\i386\vspkgs\cmddef.pdb
SVWeue
WgP_D$
;5hPr3^
s(W3;t
V $9>u5hP
;5hPr_^[UQQS]
hPhgPt$
Vq(;]ti
9 u-MEhP]_9 u
h|hPEE[
3;t/'F
P;unVPP
;tGWtB5
tF;t.P
SVWe3uQ
AAf:'u
AABBf!
PYYu'35(
^3[V3N
_^Ujhp
SVWe3uQ
_^[US39]
;tSSWVju
UQQS39]
SSWVju
;|C{uq9]
3@3U,E
7@PQEP
UQS39]
;tSSWVju
u3@e_^[
UQQS39
VW]tl9C
PPSVjWPP
|3e_^[
u PP6W
P?{u:W
uL9]tGh
PSVSSSWu
9]tLuM
t= PP3u
SVW3P}u;
WSjPVVf3
PEPVVS
39u~7M
G;}|3E
V348hPt$
<0|#<9~
UQ3PPPPPPPMQPPPu
?=u/W-|'
33Mu;uPW=
P;u6EPVVVEPPVuE
P_MF^[
UQS39]
SSu Wju
SSWVju
;tSSWVju
UQS39]
SSu Wju
SSWVju
;tSSWVju
SEPVWu
UQQS39]
;tSSWVju
MVe_^[
Vjt$ Pt$0
t%Vf6f\t
SVQPNu
bulEPh4
P|Q93WtI}
u3_M^[
VWEPEPu
PQ0?hD
VEPEPSu
(|jWuPt,=gPPS+u
sH7;t59E
sH7t4}
s(W3tF
s(W3tF
gPPPPEPP{
VVPEPP\
PPVVP@
P<j2$Pu
PUQQSVW39]
}tg9 t
UQQSVW39}
YYj\u$
;YYtsh
;t&E;t U
ZYQRhgPL$
t)3I;M
4 QPBu3_^[]
Pu^EPPEPSh
P^[Ul$
E@E|EPMT33}8}\EH$
M`MdMhu EHE|E|Pj
E,0E|+E0ul
M\u#EPE
@lhPEXuWtSuT3I
P3fu0=lhP
EHPYEx
thP3;t
EluQuT
PEhphP;t
Elu EHE|E|Pj
P;Elt'39{
P3thP;
u<M@9H
u4;p4u/u0bu8Y
ExYu\V
PEhphP;t
Ex9}xu
EHExExPj
PEdExExM|
M`MxMdMHQj
Ex_^[p
xhPY?u<hPt3
u7WPSt
u&WVSu
PhhPhhPt$
SVWeEh
_^[Ujh
SVWeEp
|hPth(HPZY
h2HPDY
hP#|hPyhP
lstrlenW
GetModuleFileNameW
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
DisableThreadLibraryCalls
InterlockedIncrement
InterlockedDecrement
MultiByteToWideChar
lstrlenA
GetShortPathNameA
GetModuleHandleA
GetModuleFileNameA
WideCharToMultiByte
FreeLibrary
SizeofResource
LoadResource
FindResourceA
LoadLibraryExA
GetLastError
lstrcmpiA
lstrcpynA
IsDBCSLeadByte
CloseHandle
ReadFile
GetFileSize
CreateFileA
lstrcpyA
lstrcatA
GetProcAddress
LoadLibraryA
LocalAlloc
InterlockedExchange
GetVersionExA
RaiseException
KERNEL32.dll
CharNextA
USER32.dll
RegDeleteKeyA
RegCreateKeyExA
RegDeleteValueA
RegCloseKey
RegOpenKeyExA
RegSetValueExA
RegQueryInfoKeyA
RegEnumKeyExA
RegQueryValueExA
ADVAPI32.dll
CoCreateInstance
CoTaskMemFree
CoTaskMemAlloc
CoTaskMemRealloc
StringFromGUID2
ole32.dll
OLEAUT32.dll
??3@YAXPAX@Z
_except_handler3
realloc
??2@YAPAXI@Z
wcscat
_wmakepath
_wsplitpath
swprintf
wcschr
wcslen
_initterm
malloc
_adjust_fdiv
MSVCR70.dll
__dllonexit
_onexit
memset
cmddef.dll
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
VSDllRegisterServer
VSDllUnregisterServer
P=L9o<
hfP`PPXfP`PPHfP`PP8fP`PP(fP`PP
fP`PPeP`PPeP`PPeP`PPeP`PPeP`PPeP`PPeP`PPeP`PPlePxPPTePxPPDePxPP4ePPP(ePPP
ePPPdPPPdPPPdPPPdPPPdPPPdPPPdPPPdPPPxdPPPldPPPTdPPP@dPPP,dPPP
dPPPcPPPcPPPcPPPcPPPcPPPcPPP|cPPPlcPPP`cPPPTcPPPDcPPP8cPPP$cPPP
cPPPbPPPbPPPbPPPbPPPbPPPbPPPbPPPtbPPPTbPPPDbPPP4bPPP$bPPP
bPPPaPPPaPPPaPPPaPPPaPPPaPPPaPPPpaPPPXaPPPDaPPP,aPPP
aPPP`PPP`PPP`PPP`PPP`PPP`PPPt`PPP``PPPL`PPP8`PPP(`PPP
`PPP_PPP_PPP_PPP_PPP_PPP_PPP_PPP|_PPPp_PPPd_PPPX_PPPL_PPP@_PPP4_PPP(_PPP
_PPP^PPP^PPP^PPP^PPP^PPP^PPP^PPPd^PPPP^PPP<^PPP,^PPP
^PPP]PPP]PPP]PPP]PPP]PPP]PPP]PPPx]PPPh]PPPX]PPPL]PPP@]PPP4]PPP(]PPP
]PPP\PPP\PPP\PPP\PPP\PPP\PPPp\PPP`\PPPT\PPPD\PPP0\PPP \PPP
\PPP[PPP[PPP[PPP[PPP[PPP[PPP[PPP[PPP[PPPp[PPPd[PPPX[PPP@[PPP0[PPP
[PPPZPPPZPPPZPPPZPPPZPPPZPPPZPPPZPPPZPPPtZPPP`ZPPPTZPPPHZPPP8ZPPP,ZPPP
ZPPPYPPPYPPPYPPPYPPPYPPPYPPPtYPPPhYPPPTYPPPDYPPP0YPPP YPPP
YPPPXPPPXPPPXPPPXPPPXPPPXPPPXPPP|XPPPhXPPP\XPPPPXPPPDXPPP8XPPP XP
OpenPrinterW
DocumentPropertiesW
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
wsprintfW
wvsprintfW
WinHelpW
VkKeyScanW
UnregisterClassW
TranslateAcceleratorW
TabbedTextOutW
SystemParametersInfoW
SetWindowTextW
SetWindowsHookExW
SetWindowLongW
SetPropW
SetMenuItemInfoW
SetDlgItemTextW
SetClassLongW
SendNotifyMessageW
SendMessageW
SendDlgItemMessageW
RemovePropW
RegisterWindowMessageW
RegisterClipboardFormatW
RegisterClassExW
RegisterClassW
PostThreadMessageW
PostMessageW
PeekMessageW
OemToCharW
ModifyMenuW
MessageBoxIndirectW
MessageBoxW
MapVirtualKeyW
LoadStringW
LoadMenuW
LoadMenuIndirectW
LoadImageW
LoadIconW
LoadCursorW
LoadBitmapW
LoadAcceleratorsW
IsDialogMessageW
IsCharAlphaW
IsCharAlphaNumericW
InsertMenuW
GrayStringW
GetWindowTextW
GetWindowTextLengthW
GetWindowLongW
GetTabbedTextExtentW
GetPropW
GetMessageW
GetDlgItemTextW
GetClassNameW
GetClassLongW
GetClassInfoExW
GetClassInfoW
FindWindowW
DrawTextW
DrawTextExW
DispatchMessageW
DialogBoxParamW
DialogBoxIndirectParamW
DefWindowProcW
DefMDIChildProcW
DefFrameProcW
DefDlgProcW
DdeInitializeW
DdeCreateStringHandleW
CreateWindowExW
CreateMDIWindowW
CreateDialogParamW
CreateDialogIndirectParamW
CreateAcceleratorTableW
CopyAcceleratorTableW
CharUpperW
CharUpperBuffW
CharToOemW
CharPrevW
CharNextW
CharLowerW
CharLowerBuffW
CallWindowProcW
AppendMenuW
SHGetPathFromIDListW
SHGetFileInfoW
ShellExecuteExW
Shell_NotifyIconW
SHBrowseForFolderW
FindExecutableW
ExtractIconExW
ExtractIconW
ExtractAssociatedIconW
DragQueryFileW
StgCreateDocfile
WNetGetConnectionW
WritePrivateProfileStringW
VerLanguageNameW
SetLocaleInfoW
SetFileAttributesW
SetEnvironmentVariableW
SetCurrentDirectoryW
SearchPathW
RemoveDirectoryW
OutputDebugStringW
MoveFileW
MoveFileExW
lstrlenW
lstrcpyW
lstrcpynW
lstrcmpW
lstrcmpiW
lstrcatW
LoadLibraryW
LoadLibraryExW
LCMapStringW
IsBadStringPtrW
GlobalGetAtomNameW
GlobalFindAtomW
GlobalAddAtomW
GetVolumeInformationW
GetVersionExW
GetTimeFormatW
GetTempPathW
GetTempFileNameW
GetSystemDirectoryW
GetStringTypeExW
GetShortPathNameW
GetProfileIntW
GetPrivateProfileStringW
GetPrivateProfileIntW
GetNumberFormatW
GetModuleHandleW
GetModuleFileNameW
GetLocaleInfoW
GetFullPathNameW
GetFileAttributesExW
GetFileAttributesW
GetEnvironmentStringsW
GetEnvironmentVariableW
GetDriveTypeW
GetDiskFreeSpaceExW
GetDateFormatW
GetCurrencyFormatW
GetCurrentDirectoryW
GetComputerNameW
FreeEnvironmentStringsW
FormatMessageW
FindResourceW
FindNextFileW
FindFirstFileW
FindFirstChangeNotificationW
FatalAppExitW
ExpandEnvironmentStringsW
DeleteFileW
CreateSemaphoreW
CreateProcessW
CreateMutexW
CreateFileW
CreateFileMappingW
CreateEventW
CreateDirectoryW
CreateDirectoryExW
CopyFileW
CompareStringW
StartDocW
ResetDCW
GetTextMetricsW
GetTextFaceW
GetTextExtentExPointW
GetTextExtentPointW
GetTextExtentPoint32W
GetOutlineTextMetricsW
GetObjectW
GetKerningPairsW
GetGlyphOutlineW
GetCharWidthW
GetCharWidthFloatW
GetCharABCWidthsW
GetCharABCWidthsFloatW
ExtTextOutW
CreateMetaFileW
CreateICW
CreateFontW
CreateFontIndirectW
CreateEnhMetaFileW
CreateDCW
CopyMetaFileW
PrintDlgW
GetSaveFileNameW
GetOpenFileNameW
GetFileTitleW
ChooseFontW
ChooseColorW
PropertySheetW
ImageList_LoadImageW
CreatePropertySheetPageW
RegSetValueW
RegSetValueExW
RegQueryValueW
RegQueryValueExW
RegQueryInfoKeyW
RegOpenKeyW
RegOpenKeyExW
RegEnumKeyExW
RegEnumValueW
RegEnumKeyW
RegDeleteValueW
RegDeleteKeyW
RegCreateKeyW
RegCreateKeyExW
GetUserNameW
winspool.drv
winmm.dll
version.dll
user32.dll
url.dll
shell32.dll
rpcrt4.dll
rasapi32.dll
opengl32.dll
oledlg.dll
ole32.dll
mswsock.dll
msvfw32.dll
mpr.dll
lz32.dll
kernel32.dll
imm32.dll
gdi32.dll
comdlg32.dll
comctl32.dll
avifil32.dll
avicap32.dll
advapi32.dll
%REGROOTBEGIN%
NoRemove Packages
ForceRemove %MENU_PKG_GUID% = s 'Commands definition Package'
{
val InprocServer32 = s '%MODULE%'
ForceRemove SatelliteDll
{
val DllName = s 'cmddefui.dll'
val Path = s '%MODULE_DIR%'
}
}
NoRemove Menus
ForceRemove val %MENU_PKG_GUID% = s '%MENU_RES%'
%REGROOTEND%
11111111@2D2H2L2P2T2X2\2222222222224383<3@3D3H3L3P3T3X3\3`3d3h3l3t3x384@4H4P4X4`4h4p4x444444444444445555555555555555(6,6064686<6@6D66666666666666666666
7777777
8Y8b8z8888A9]999D::::::::::
;q;;;;$<T<Z<_<l<<<<<
=H=Z=l==
><>A>d>
??????
"0J0g00000T1~1111
22n33333%444
5#5:555
616h6666
7D7Q7777
8(818>888888
<7<V<t<<<<===<>m>z>>7?Q??????????????
0"0:00*1r111
2O2y222#33333
6+6G6s6y6666
7>7S7[7a7
8*818V8u88
9%9C:R:\:f:}:;;:<d<<<<<<<<<&=<=s===0>P>o>>>>>
?!?R????????
0$0=0H0h00
1 161E1l1y111111*2>2T2a2h2s2z22
363I333333333333333
4"4(4I4[44440565<5E5J5O5t5z5555555555
6,636l666666F7v777777777
8 8)838
0 0$0(0,0004080<0@0D0H0L0`0h0p0x00000000000000000
1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|111111111111111111111111111111111
2 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2d2h2l2p2t2x2|222222222222222222222222222222222
3 3$3(3,3034383<3@3D3H3L3P3T3X3\3`3d3h3l3p3t3x3|333333333333333333333333333333333
4 4$4(4,4044484<4@4D4H4L4P4T4X4\4`4d4h4l4p4t4x4|444444444444444444444444444444444
5 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|555555555555555555555555555555555
6 6$6(6,6064686<6@6D6H6L6P6T6X6\6`6d6h6l6p6t6x6|666666666666666666666666666666666
7 7$7(7,7074787<7@7D7H7L7P7T7X7\7`7d7h7l7p7t7x7|777777777777777777777
TNPPOA
kmsOAMSOFFICE9.0
0*0*0*
`T`T`T`T0*
visua18:35:41 - Startup
18:35:42 - Bound UDP socket waiting for commands, error: 0
18:35:42 - Nothing received yet
18:35:43 - Nothing received yet
18:35:44 - Nothing received yet
18:35:45 - Nothing received yet
18:35:46 - Nothing received yet
18:35:47 - Nothing received yet
18:35:48 - Nothing received yet
18:35:49 - Nothing received yet
18:35:51 - Nothing received yet
18:35:52 - Nothing received yet
18:35:53 - Nothing received yet
18:35:54 - Nothing received yet
visuaMZ
L!This program cannot be run in DOS mode.
`.rsrc
@.reloc
'}JQ|g
Y+\\-%
Gh7<D*pPw9
Wq?pL h7
hQ1EyT
f:\VS70Builds\5077\vsbuilt\retail\bin\i386\msosec.pdb
v1.1.4324
#Strings
<Module>
msosec.dll
mscorlib
System
Object
AssemblyRef
System.Security.Policy
IMembershipCondition
System.Security
ISecurityEncodable
ISecurityPolicyEncodable
OfficeDocumentMembershipCondition
Microsoft.Office.Security.Policy
OfficeDocument
VsAssemblyVer
NdpAssemblyVer
MicrosoftVisualBasicVsa
MicrosoftJScript
MicrosoftVisualBasicVsaDt
Evidence
System.Security.Policy.IMembershipCondition.Check
System.Security.Policy.IMembershipCondition.Copy
System.Security.Policy.IMembershipCondition.Equals
Equals
System.Security.Policy.IMembershipCondition.ToString
ToString
SecurityElement
System.Security.ISecurityEncodable.ToXml
System.Security.ISecurityEncodable.FromXml
FromXml
PolicyLevel
System.Security.ISecurityPolicyEncodable.ToXml
System.Security.ISecurityPolicyEncodable.FromXml
System.Reflection
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyDescriptionAttribute
AssemblyTitleAttribute
AssemblyCompanyAttribute
AssemblyKeyFileAttribute
AssemblyDelaySignAttribute
AssemblyFileVersionAttribute
AssemblyVersionAttribute
msosec
SerializableAttribute
rootEvidence
System.Collections
IEnumerator
GetHostEnumerator
get_Current
MoveNext
GetType
String
LastIndexOf
Substring
get_AssemblyQualifiedName
Escape
AddAttribute
ArgumentException
Attribute
op_Inequality
(]b,e,
=t]o-~^
#Visual Studio .NET Tools for Office
8Copyright
Microsoft Corporation. All rights reserved.
Custom membership condition
Microsoft Corporation
<f:\VS70Builds\5077\vs\src\common\security\FinalPublicKey.snk
7.10.5077.0
_CorDllMain
mscoree.dll
visuaL
PO :i
PROGRA~1
NetTime
^Gh^Gh
NetTime.exe
^Gh^Gh
C:\Program Files\NetTime\NetTime.exe
base-xp
TJu'x};
TJu'x};
yrkxeP:#
zgMB6)
{vlaWLB7-"
vr^J6"
'.49>ADFFE
D}A|=|8{2{,{%{
|zwuspnksz
}{xvtromt{
}{ywtrpnu}
}{yxvtrpw~
}{zxvusqx
~|{yxvusz
~|{zxwut{
~}|{yxwv}
~}|{zzyx~
visua[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-8964
L!This program cannot be run in DOS mode.
`.rdata
@.data
@.NewSec
RR G n
^UQQ=`W@
EPEPV@
UQ=`W@
ADiS3B+
QSUVWD$
u8-TR@
tQ3;tKxP@
_^][Y_^][Y
_^]3[Y
UQV5lR@
SVW3jD^V3ESGPE`
]X]P]D]\]H]T]@]LE0
t3SE0PEPPEXP
E<trEx
t3SE0PE\PEDP
Ex t3SE0PETPEHP
?"E|t#
]tE PEPutSu`uLSSu|S
u\9]Xt
uX9]Tt
uTu$Ex
9]<tEW@
j(hdW@
u\9]Dt
uD9]Pt
uP9]Xt
uX9]Tt
uT9]Ht
9]tu4W
t8;Yv%>\t
E|Y+Y\
Etj<^VESP
EEtEEpE
9]<t:W@
j(hdW@
u|S5V@
E@_^[d
=V5lW@
I9\tPP
.\u%\u
SVW339
YY?Vt$
VW=DR@
]UQtW@
EEPMQUR
Information
Couldn't open the file!
C:/exp/
[File]
[Sub-Dir]
o%}oooooEo%o
[}#}9}S}P}%[}}
}>}My}3}]}#C}8}k
}h}8});}
'}&}O=}
}@}$)}3}[}
D}U6}=}U=}p'}
memset
MSVCRT.dll
GetModuleHandleA
HeapCreate
HeapDestroy
ExitProcess
KERNEL32.dll
memcpy
_stricmp
strncmp
_strnicmp
strcmp
memmove
strlen
strcpy
strcat
strncpy
GetCurrentThreadId
GetTickCount
HeapAlloc
HeapFree
WriteFile
CloseHandle
CreateFileA
GetFileSize
ReadFile
SetFilePointer
InitializeCriticalSection
GetModuleFileNameA
GetCurrentProcess
DuplicateHandle
CreatePipe
GetStdHandle
CreateProcessA
WaitForSingleObject
EnterCriticalSection
LeaveCriticalSection
GetCurrentProcessId
GetDriveTypeA
FindFirstFileA
FindClose
GetFileAttributesA
CreateDirectoryA
GetLastError
FindNextFileA
SetFileAttributesA
HeapReAlloc
InitCommonControls
COMCTL32.DLL
MessageBoxA
GetWindowThreadProcessId
IsWindowVisible
IsWindowEnabled
GetForegroundWindow
EnableWindow
EnumWindows
USER32.DLL
ShellExecuteExA
SHELL32.DLL
CoInitialize
OLE32.DLL
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity
version="1.0.0.0"
processorArchitecture="X86"
name="CompanyName.ProductName.YourApp"
type="win32" />
<description></description>
<dependency>
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
processorArchitecture="X86"
publicKeyToken="6595b64144ccf1df"
language="*" />
</dependentAssembly>
</dependency>
</assembly>
11CK3R1Z@HR1Z@=
uR1ZS1[@H3CKAI@R1Z@H=
uAI3S1[CKR1Z@Q1YBJR1Z=
uQ1YQ1Y
R1ZAI0TS1[BJ0S1[(R1Z(
mAI0(CK0fR1Z
visuavisua
visua# Copyright (C) 2010-2015 Cuckoo Foundation, Optiv, Inc. (brad.spengler@optiv.com)
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
import os
import logging
import random
import subprocess
import platform
import urllib
import base64
from time import time
from ctypes import byref, c_ulong, create_string_buffer, c_int, sizeof
from shutil import copy
from lib.common.constants import PIPE, PATHS, SHUTDOWN_MUTEX, TERMINATE_EVENT, LOGSERVER_PREFIX
from lib.common.constants import CUCKOOMON32_NAME, CUCKOOMON64_NAME, LOADER32_NAME, LOADER64_NAME, CAWSMON32_NAME, CAWSMON64_NAME
from lib.common.defines import ULONG_PTR
from lib.common.defines import KERNEL32, NTDLL, SYSTEM_INFO, STILL_ACTIVE
from lib.common.defines import THREAD_ALL_ACCESS, PROCESS_ALL_ACCESS, TH32CS_SNAPPROCESS
from lib.common.defines import STARTUPINFO, PROCESS_INFORMATION, PROCESSENTRY32
from lib.common.defines import CREATE_NEW_CONSOLE, CREATE_SUSPENDED
from lib.common.defines import MEM_RESERVE, MEM_COMMIT, PAGE_READWRITE
from lib.common.defines import MEMORY_BASIC_INFORMATION
from lib.common.defines import WAIT_TIMEOUT, EVENT_MODIFY_STATE
from lib.common.defines import MEM_IMAGE, MEM_MAPPED, MEM_PRIVATE
from lib.common.defines import GENERIC_READ, GENERIC_WRITE, OPEN_EXISTING
from lib.common.errors import get_error_string
from lib.common.rand import random_string
from lib.common.results import NetlogFile
from lib.core.config import Config
from lib.core.log import LogServer
IOCTL_PID = 0x222008
IOCTL_CUCKOO_PATH = 0x22200C
PATH_KERNEL_DRIVER = "\\\\.\\DriverSSDT"
LOGSERVER_POOL = dict()
ATTEMPTED_APC_INJECTS = dict()
ATTEMPTED_THREAD_INJECTS = dict()
log = logging.getLogger(__name__)
def is_os_64bit():
return platform.machine().endswith('64')
def get_referrer_url(interest):
"""Get a Google referrer URL
@return: URL to be added to the analysis config
"""
if "://" not in interest:
return ""
escapedurl = urllib.quote(interest, '')
itemidx = str(random.randint(1, 30))
vedstr = "0CCEQfj" + base64.urlsafe_b64encode(random_string(random.randint(5, 8) * 3))
eistr = base64.urlsafe_b64encode(random_string(12))
usgstr = "AFQj" + base64.urlsafe_b64encode(random_string(12))
referrer = "http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd={0}&ved={1}&url={2}&ei={3}&usg={4}".format(itemidx, vedstr, escapedurl, eistr, usgstr)
return referrer
class Process:
"""Windows process."""
process_num = 0
# This adds 1 up to 30 times of 20 minutes to the startup
# time of the process, therefore bypassing anti-vm checks
# which check whether the VM has only been up for <10 minutes.
startup_time = random.randint(1, 30) * 20 * 60 * 1000
def __init__(self, pid=0, h_process=0, thread_id=0, h_thread=0, suspended=False):
"""@param pid: PID.
@param h_process: process handle.
@param thread_id: thread id.
@param h_thread: thread handle.
"""
self.pid = pid
self.h_process = h_process
self.thread_id = thread_id
self.h_thread = h_thread
self.suspended = suspended
self.system_info = SYSTEM_INFO()
self.critical = False
def __del__(self):
"""Close open handles."""
if self.h_process and self.h_process != KERNEL32.GetCurrentProcess():
KERNEL32.CloseHandle(self.h_process)
if self.h_thread:
KERNEL32.CloseHandle(self.h_thread)
def get_system_info(self):
"""Get system information."""
KERNEL32.GetSystemInfo(byref(self.system_info))
def open(self):
"""Open a process and/or thread.
@return: operation status.
"""
ret = bool(self.pid or self.thread_id)
if self.pid and not self.h_process:
if self.pid == os.getpid():
self.h_process = KERNEL32.GetCurrentProcess()
else:
self.h_process = KERNEL32.OpenProcess(PROCESS_ALL_ACCESS,
False,
self.pid)
ret = True
if self.thread_id and not self.h_thread:
self.h_thread = KERNEL32.OpenThread(THREAD_ALL_ACCESS,
False,
self.thread_id)
ret = True
return ret
def close(self):
"""Close any open handles.
@return: operation status.
"""
ret = bool(self.h_process or self.h_thread)
NT_SUCCESS = lambda val: val >= 0
if self.h_process:
ret = NT_SUCCESS(KERNEL32.CloseHandle(self.h_process))
self.h_process = None
if self.h_thread:
ret = NT_SUCCESS(KERNEL32.CloseHandle(self.h_thread))
self.h_thread = None
return ret
def exit_code(self):
"""Get process exit code.
@return: exit code value.
"""
if not self.h_process:
self.open()
exit_code = c_ulong(0)
KERNEL32.GetExitCodeProcess(self.h_process, byref(exit_code))
return exit_code.value
def get_filepath(self):
"""Get process image file path.
@return: decoded file path.
"""
if not self.h_process:
self.open()
NT_SUCCESS = lambda val: val >= 0
pbi = create_string_buffer(530)
size = c_int()
# Set return value to signed 32bit integer.
NTDLL.NtQueryInformationProcess.restype = c_int
ret = NTDLL.NtQueryInformationProcess(self.h_process,
27,
byref(pbi),
sizeof(pbi),
byref(size))
if NT_SUCCESS(ret) and size.value > 8:
try:
fbuf = pbi.raw[8:]
fbuf = fbuf[:fbuf.find('\0\0')+1]
return fbuf.decode('utf16', errors="ignore")
except:
return ""
return ""
def is_alive(self):
"""Process is alive?
@return: process status.
"""
return self.exit_code() == STILL_ACTIVE
def set_critical(self):
self.critical = True
def is_critical(self):
"""Determines if process is 'critical' or not, so we can prevent
terminating it
"""
if not self.h_process:
self.open()
if self.critical:
return True
NT_SUCCESS = lambda val: val >= 0
val = c_ulong(0)
retlen = c_ulong(0)
ret = NTDLL.NtQueryInformationProcess(self.h_process, 29, byref(val), sizeof(val), byref(retlen))
if NT_SUCCESS(ret) and val.value:
return True
return False
def get_parent_pid(self):
"""Get the Parent Process ID."""
if not self.h_process:
self.open()
NT_SUCCESS = lambda val: val >= 0
pbi = (ULONG_PTR * 6)()
size = c_ulong()
# Set return value to signed 32bit integer.
NTDLL.NtQueryInformationProcess.restype = c_int
ret = NTDLL.NtQueryInformationProcess(self.h_process,
0,
byref(pbi),
sizeof(pbi),
byref(size))
if NT_SUCCESS(ret) and size.value == sizeof(pbi):
return pbi[5]
return None
def kernel_analyze(self):
"""zer0m0n kernel analysis
"""
log.info("Starting kernel analysis")
log.info("Installing driver")
if is_os_64bit():
sys_file = os.path.join(os.getcwd(), "dll", "zer0m0n_x64.sys")
else:
sys_file = os.path.join(os.getcwd(), "dll", "zer0m0n.sys")
exe_file = os.path.join(os.getcwd(), "dll", "logs_dispatcher.exe")
if not sys_file or not exe_file or not os.path.exists(sys_file) or not os.path.exists(exe_file):
log.warning("No valid zer0m0n files to be used for process with pid %d, injection aborted", self.pid)
return False
exe_name = random_string(6)
service_name = random_string(6)
driver_name = random_string(6)
inf_data = '[Version]\r\nSignature = "$Windows NT$"\r\nClass = "ActivityMonitor"\r\nClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2}\r\nProvider= %Prov%\r\nDriverVer = 22/01/2014,1.0.0.0\r\nCatalogFile = %DriverName%.cat\r\n[DestinationDirs]\r\nDefaultDestDir = 12\r\nMiniFilter.DriverFiles = 12\r\n[DefaultInstall]\r\nOptionDesc = %ServiceDescription%\r\nCopyFiles = MiniFilter.DriverFiles\r\n[DefaultInstall.Services]\r\nAddService = %ServiceName%,,MiniFilter.Service\r\n[DefaultUninstall]\r\nDelFiles = MiniFilter.DriverFiles\r\n[DefaultUninstall.Services]\r\nDelService = %ServiceName%,0x200\r\n[MiniFilter.Service]\r\nDisplayName= %ServiceName%\r\nDescription= %ServiceDescription%\r\nServiceBinary= %12%\\%DriverName%.sys\r\nDependencies = "FltMgr"\r\nServiceType = 2\r\nStartType = 3\r\nErrorControl = 1\r\nLoadOrderGroup = "FSFilter Activity Monitor"\r\nAddReg = MiniFilter.AddRegistry\r\n[MiniFilter.AddRegistry]\r\nHKR,,"DebugFlags",0x00010001 ,0x0\r\nHKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance%\r\nHKR,"Instances\\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude%\r\nHKR,"Instances\\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags%\r\n[MiniFilter.DriverFiles]\r\n%DriverName%.sys\r\n[SourceDisksFiles]\r\n'+driver_name+'.sys = 1,,\r\n[SourceDisksNames]\r\n1 = %DiskId1%,,,\r\n[Strings]\r\n'+'Prov = "'+random_string(8)+'"\r\nServiceDescription = "'+random_string(12)+'"\r\nServiceName = "'+service_name+'"\r\nDriverName = "'+driver_name+'"\r\nDiskId1 = "'+service_name+' Device Installation Disk"\r\nDefaultInstance = "'+service_name+' Instance"\r\nInstance1.Name = "'+service_name+' Instance"\r\nInstance1.Altitude = "370050"\r\nInstance1.Flags = 0x0'
new_inf = os.path.join(os.getcwd(), "dll", "{0}.inf".format(service_name))
new_sys = os.path.join(os.getcwd(), "dll", "{0}.sys".format(driver_name))
copy(sys_file, new_sys)
new_exe = os.path.join(os.getcwd(), "dll", "{0}.exe".format(exe_name))
copy(exe_file, new_exe)
log.info("[-] Driver name : "+new_sys)
log.info("[-] Inf name : "+new_inf)
log.info("[-] Application name : "+new_exe)
log.info("[-] Service : "+service_name)
fh = open(new_inf,"w")
fh.write(inf_data)
fh.close()
os_is_64bit = is_os_64bit()
if os_is_64bit:
wow64 = c_ulong(0)
KERNEL32.Wow64DisableWow64FsRedirection(byref(wow64))
os.system('cmd /c "rundll32 setupapi.dll, InstallHinfSection DefaultInstall 132 '+new_inf+'"')
os.system("net start "+service_name)
si = STARTUPINFO()
si.cb = sizeof(si)
pi = PROCESS_INFORMATION()
cr = CREATE_NEW_CONSOLE
ldp = KERNEL32.CreateProcessA(new_exe, None, None, None, None, cr, None, os.getenv("TEMP"), byref(si), byref(pi))
if not ldp:
if os_is_64bit:
KERNEL32.Wow64RevertWow64FsRedirection(wow64)
log.error("Failed starting "+exe_name+".exe.")
return False
config_path = os.path.join(os.getenv("TEMP"), "%s.ini" % self.pid)
with open(config_path, "w") as config:
cfg = Config("analysis.conf")
config.write("host-ip={0}\n".format(cfg.ip))
config.write("host-port={0}\n".format(cfg.port))
config.write("pipe={0}\n".format(PIPE))
log.info("Sending startup information")
hFile = KERNEL32.CreateFileA(PATH_KERNEL_DRIVER, GENERIC_READ|GENERIC_WRITE,
0, None, OPEN_EXISTING, 0, None)
if os_is_64bit:
KERNEL32.Wow64RevertWow64FsRedirection(wow64)
if hFile:
p = Process(pid=os.getpid())
ppid = p.get_parent_pid()
pid_vboxservice = 0
pid_vboxtray = 0
# get pid of VBoxService.exe and VBoxTray.exe
proc_info = PROCESSENTRY32()
proc_info.dwSize = sizeof(PROCESSENTRY32)
snapshot = KERNEL32.CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
flag = KERNEL32.Process32First(snapshot, byref(proc_info))
while flag:
if proc_info.sz_exeFile == "VBoxService.exe":
log.info("VBoxService.exe found !")
pid_vboxservice = proc_info.th32ProcessID
flag = 0
elif proc_info.sz_exeFile == "VBoxTray.exe":
pid_vboxtray = proc_info.th32ProcessID
log.info("VBoxTray.exe found !")
flag = 0
flag = KERNEL32.Process32Next(snapshot, byref(proc_info))
bytes_returned = c_ulong(0)
msg = str(self.pid)+"_"+str(ppid)+"_"+str(os.getpid())+"_"+str(pi.dwProcessId)+"_"+str(pid_vboxservice)+"_"+str(pid_vboxtray)+'\0'
KERNEL32.DeviceIoControl(hFile, IOCTL_PID, msg, len(msg), None, 0, byref(bytes_returned), None)
msg = os.getcwd()+'\0'
KERNEL32.DeviceIoControl(hFile, IOCTL_CUCKOO_PATH, unicode(msg), len(unicode(msg)), None, 0, byref(bytes_returned), None)
else:
log.warning("Failed to access kernel driver")
return True
def execute(self, path, args=None, suspended=False, kernel_analysis=False):
"""Execute sample process.
@param path: sample path.
@param args: process args.
@param suspended: is suspended.
@return: operation status.
"""
if not os.access(path, os.X_OK):
log.error("Unable to access file at path \"%s\", "
"execution aborted", path)
return False
startup_info = STARTUPINFO()
startup_info.cb = sizeof(startup_info)
# STARTF_USESHOWWINDOW
startup_info.dwFlags = 1
# SW_SHOWNORMAL
startup_info.wShowWindow = 1
process_info = PROCESS_INFORMATION()
arguments = "\"" + path + "\" "
if args:
arguments += args
creation_flags = CREATE_NEW_CONSOLE
if suspended:
self.suspended = True
creation_flags += CREATE_SUSPENDED
created = KERNEL32.CreateProcessA(path,
arguments,
None,
None,
None,
creation_flags,
None,
os.getenv("TEMP"),
byref(startup_info),
byref(process_info))
if created:
self.pid = process_info.dwProcessId
self.h_process = process_info.hProcess
self.thread_id = process_info.dwThreadId
self.h_thread = process_info.hThread
log.info("Successfully executed process from path \"%s\" with "
"arguments \"%s\" with pid %d", path, args or "", self.pid)
if kernel_analysis:
return self.kernel_analyze()
return True
else:
log.error("Failed to execute process from path \"%s\" with "
"arguments \"%s\" (Error: %s)", path, args,
get_error_string(KERNEL32.GetLastError()))
return False
def resume(self):
"""Resume a suspended thread.
@return: operation status.
"""
if not self.suspended:
log.warning("The process with pid %d was not suspended at creation"
% self.pid)
return False
if not self.h_thread:
return False
KERNEL32.Sleep(2000)
if KERNEL32.ResumeThread(self.h_thread) != -1:
self.suspended = False
log.info("Successfully resumed process with pid %d", self.pid)
return True
else:
log.error("Failed to resume process with pid %d", self.pid)
return False
def set_terminate_event(self):
"""Sets the termination event for the process.
"""
if self.h_process == 0:
self.open()
event_name = TERMINATE_EVENT + str(self.pid)
event_handle = KERNEL32.OpenEventA(EVENT_MODIFY_STATE, False, event_name)
if event_handle:
# make sure process is aware of the termination
KERNEL32.SetEvent(event_handle)
KERNEL32.CloseHandle(event_handle)
KERNEL32.Sleep(500)
def terminate(self):
"""Terminate process.
@return: operation status.
"""
if self.h_process == 0:
self.open()
if KERNEL32.TerminateProcess(self.h_process, 1):
log.info("Successfully terminated process with pid %d.", self.pid)
return True
else:
log.error("Failed to terminate process with pid %d.", self.pid)
return False
def is_64bit(self):
"""Determines if a process is 64bit.
@return: True if 64bit, False if not
"""
if self.h_process == 0:
self.open()
try:
val = c_int(0)
ret = KERNEL32.IsWow64Process(self.h_process, byref(val))
if ret and not val.value and is_os_64bit():
return True
except:
pass
return False
def old_inject(self, dll, apc):
arg = KERNEL32.VirtualAllocEx(self.h_process,
None,
len(dll) + 1,
MEM_RESERVE | MEM_COMMIT,
PAGE_READWRITE)
if not arg:
log.error("VirtualAllocEx failed when injecting process with "
"pid %d, injection aborted (Error: %s)",
self.pid, get_error_string(KERNEL32.GetLastError()))
return False
bytes_written = c_int(0)
if not KERNEL32.WriteProcessMemory(self.h_process,
arg,
dll + "\x00",
len(dll) + 1,
byref(bytes_written)):
log.error("WriteProcessMemory failed when injecting process with "
"pid %d, injection aborted (Error: %s)",
self.pid, get_error_string(KERNEL32.GetLastError()))
return False
kernel32_handle = KERNEL32.GetModuleHandleA("kernel32.dll")
load_library = KERNEL32.GetProcAddress(kernel32_handle, "LoadLibraryA")
if apc or self.suspended:
if not self.h_thread:
log.info("No valid thread handle specified for injecting "
"process with pid %d, injection aborted.", self.pid)
return False
if not KERNEL32.QueueUserAPC(load_library, self.h_thread, arg):
log.error("QueueUserAPC failed when injecting process with "
"pid %d (Error: %s)",
self.pid, get_error_string(KERNEL32.GetLastError()))
return False
else:
new_thread_id = c_ulong(0)
thread_handle = KERNEL32.CreateRemoteThread(self.h_process,
None,
0,
load_library,
arg,
0,
byref(new_thread_id))
if not thread_handle:
log.error("CreateRemoteThread failed when injecting process "
"with pid %d (Error: %s)",
self.pid, get_error_string(KERNEL32.GetLastError()))
return False
else:
KERNEL32.CloseHandle(thread_handle)
return True
def check_inject(self):
if not self.pid:
return False
if self.thread_id or self.suspended:
if (self.pid, self.thread_id) in ATTEMPTED_APC_INJECTS:
return False
ATTEMPTED_APC_INJECTS[(self.pid, self.thread_id)] = True
else:
if self.pid in ATTEMPTED_THREAD_INJECTS:
return False
ATTEMPTED_THREAD_INJECTS[self.pid] = True
return True
def inject(self, dll=None, interest=None, nosleepskip=False):
"""Cuckoo DLL injection.
@param dll: Cuckoo DLL path.
@param interest: path to file of interest, handed to cuckoomon config
@param apc: APC use.
"""
global LOGSERVER_POOL
if not self.pid:
return False
thread_id = 0
if self.thread_id:
thread_id = self.thread_id
if not self.is_alive():
log.warning("The process with pid %s is not alive, "
"injection aborted", self.pid)
return False
is_64bit = self.is_64bit()
if not dll:
if is_64bit:
dll = CUCKOOMON64_NAME
else:
dll = CUCKOOMON32_NAME
elif dll == "cawsmon":
if is_64bit:
dll = CAWSMON64_NAME
else:
dll = CAWSMON32_NAME
else:
os.path.join("dll", dll)
dll = os.path.join(os.getcwd(), dll)
if not dll or not os.path.exists(dll):
log.warning("No valid DLL specified to be injected in process "
"with pid %d, injection aborted.", self.pid)
return False
if thread_id or self.suspended:
log.debug("Using QueueUserAPC injection.")
else:
log.debug("Using CreateRemoteThread injection.")
config_path = "C:\\%s.ini" % self.pid
with open(config_path, "w") as config:
cfg = Config("analysis.conf")
cfgoptions = cfg.get_options()
# start the logserver for this monitored process
logserver_path = LOGSERVER_PREFIX + str(self.pid)
if logserver_path not in LOGSERVER_POOL:
LOGSERVER_POOL[logserver_path] = LogServer(cfg.ip, cfg.port, logserver_path)
Process.process_num += 1
firstproc = Process.process_num == 1
config.write("host-ip={0}\n".format(cfg.ip))
config.write("host-port={0}\n".format(cfg.port))
config.write("pipe={0}\n".format(PIPE))
config.write("logserver={0}\n".format(logserver_path))
config.write("results={0}\n".format(PATHS["root"]))
config.write("analyzer={0}\n".format(os.getcwd()))
config.write("first-process={0}\n".format("1" if firstproc else "0"))
config.write("startup-time={0}\n".format(Process.startup_time))
config.write("file-of-interest={0}\n".format(interest))
config.write("shutdown-mutex={0}\n".format(SHUTDOWN_MUTEX))
config.write("terminate-event={0}{1}\n".format(TERMINATE_EVENT, self.pid))
if nosleepskip or ("force-sleepskip" not in cfgoptions and len(interest) > 2 and interest[1] != ':' and interest[0] != '\\' and Process.process_num <= 2):
config.write("force-sleepskip=0\n")
if "norefer" not in cfgoptions and "referrer" not in cfgoptions:
config.write("referrer={0}\n".format(get_referrer_url(interest)))
simple_optnames = [
"force-sleepskip",
"full-logs",
"force-flush",
"no-stealth",
"buffer-max",
"large-buffer-max",
"serial",
"sysvol_ctimelow",
"sysvol_ctimehigh",
"sys32_ctimelow",
"sys32_ctimehigh",
"debug",
"disable_hook_content",
"hook-type",
"exclude-apis",
"exclude-dlls",
"referrer",
]
for optname in simple_optnames:
if optname in cfgoptions:
config.write("{0}={1}\n".format(optname, cfgoptions[optname]))
orig_bin_name = ""
bit_str = ""
if is_64bit:
orig_bin_name = LOADER64_NAME
bit_str = "64-bit"
else:
orig_bin_name = LOADER32_NAME
bit_str = "32-bit"
bin_name = os.path.join(os.getcwd(), orig_bin_name)
if os.path.exists(bin_name):
ret = subprocess.call([bin_name, "inject", str(self.pid), str(thread_id), dll])
if ret != 0:
if ret == 1:
log.info("Injected into suspended %s process with pid %d", bit_str, self.pid)
else:
log.error("Unable to inject into %s process with pid %d, error: %d", bit_str, self.pid, ret)
return False
else:
return True
else:
log.error("Please place the %s binary from cuckoomon into analyzer/windows/bin in order to analyze %s binaries.", os.path.basename(bin_name), bit_str)
return False
def dump_memory(self):
"""Dump process memory.
@return: operation status.
"""
if not self.pid:
log.warning("No valid pid specified, memory dump aborted")
return False
if not self.is_alive():
log.warning("The process with pid %d is not alive, memory "
"dump aborted", self.pid)
return False
bin_name = ""
bit_str = ""
file_path = os.path.join(PATHS["memory"], "{0}.dmp".format(self.pid))
if self.is_64bit():
orig_bin_name = LOADER64_NAME
bit_str = "64-bit"
else:
orig_bin_name = LOADER32_NAME
bit_str = "32-bit"
bin_name = os.path.join(os.getcwd(), orig_bin_name)
if os.path.exists(bin_name):
ret = subprocess.call([bin_name, "dump", str(self.pid), file_path])
if ret == 1:
log.info("Dumped %s process with pid %d", bit_str, self.pid)
else:
log.error("Unable to dump %s process with pid %d, error: %d", bit_str, self.pid, ret)
return False
else:
log.error("Please place the %s binary from cuckoomon into analyzer/windows/bin in order to analyze %s binaries.", os.path.basename(bin_name), bit_str)
return False
nf = NetlogFile(os.path.join("memory", "{0}.dmp".format(self.pid)))
infd = open(file_path, "rb")
buf = infd.read(1024*1024)
try:
while buf:
nf.send(buf, retry=True)
buf = infd.read(1024*1024)
except:
infd.close()
nf.close()
log.warning("Memory dump of process with pid %d failed", self.pid)
return False
infd.close()
nf.close()
log.info("Memory dump of process with pid %d completed", self.pid)
return True
visuaMZ
L!This program cannot be run in DOS mode.
`.rsrc
@.reloc
C+Cdu^
[p/KZ dFBmI
} Ysy
st
c st
@st
c @st
l#333333?[k
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADPHjbb
Color Picker
Custom
System
Alignment Picker
Bottom Center
Bottom Left
Bottom Right
Middle Center
Middle Left
Middle Right
Top Center
Top Left
Top Right
'The assembly '{0}' could not be loaded.
uThe toolbox item could not be retrieved from the toolbox. Try removing the item from the toolbox and adding it back.
The toolbox item could not be retrieved from the toolbox. Make sure the assembly that contains the toolbox item is correctly installed. The toolbox item raised the following error: {0}
Bitmap files
Icon files
All image files
Metafiles
v2.0.50727
#Strings
<Module>
System.Drawing.Design.dll
SRDescriptionAttribute
System.Drawing.Design
SRCategoryAttribute
ExternDll
System
ImageEditor
BitmapEditor
ColorEditor
ColorPalette
ColorPaletteAccessibleObject
ColorCellAccessibleObject
ColorUI
ColorEditorListBox
ColorEditorTabControl
CustomColorDialog
SystemColorComparer
StandardColorComparer
ContentAlignmentEditor
ContentUI
CursorEditor
CursorUI
DesignerToolboxInfo
FontEditor
FontNameEditor
IconEditor
MetafileEditor
NativeMethods
ToolboxService
DomainProxyObject
FilterSupport
ToolboxItemCreator
ToolboxItemContainer
BrokenToolboxItem
ToolboxItemSerializer
ToolboxSerializationBinder
UnsafeNativeMethods
System.ComponentModel
DescriptionAttribute
CategoryAttribute
mscorlib
Object
System.Drawing
UITypeEditor
System.Windows.Forms
Control
ControlAccessibleObject
AccessibleObject
ListBox
TabControl
ColorDialog
System.Collections
IComparer
IDisposable
IToolboxService
System.ComponentModel.Design
IComponentDiscoveryService
MarshalByRefObject
System.Runtime.Serialization
ISerializable
ToolboxItem
SerializationBinder
replaced
get_Description
Description
GetLocalizedString
imageFileDescription
ColorEditorSystemTab
ColorEditorStandardTab
bitmapFileDescription
ColorEditorPaletteTab
iconFileDescription
metafileFileDescription
ContentAlignmentEditorAccName
ContentAlignmentEditorTopLeftAccName
ContentAlignmentEditorTopCenterAccName
ContentAlignmentEditorTopRightAccName
ContentAlignmentEditorMiddleLeftAccName
ContentAlignmentEditorMiddleCenterAccName
ContentAlignmentEditorMiddleRightAccName
ContentAlignmentEditorBottomLeftAccName
ContentAlignmentEditorBottomCenterAccName
ContentAlignmentEditorBottomRightAccName
ColorEditorAccName
ToolboxServiceBadToolboxItem
ToolboxServiceBadToolboxItemWithException
ToolboxServiceAssemblyNotFound
loader
System.Resources
ResourceManager
resources
s_InternalSyncObject
get_InternalSyncObject
GetLoader
System.Globalization
CultureInfo
get_Culture
get_Resources
GetString
GetObject
InternalSyncObject
Culture
Resources
Activeds
Advapi32
Comctl32
Comdlg32
Gdiplus
Hhctrl
Kernel32
Loadperf
Mscoree
Mscorwks
Oleacc
Oleaut32
Olepro32
PerfCounter
Powrprof
Shell32
Shfolder
User32
Uxtheme
Winspool
Wtsapi32
Version
Vsassert
Shlwapi
Crypt32
Odbc32
OciDll
OraMtsDll
imageExtenders
FileDialog
fileDialog
GetImageExtenders
CreateExtensionsString
CreateFilterEntry
ITypeDescriptorContext
IServiceProvider
EditValue
UITypeEditorEditStyle
GetEditStyle
GetFileDialogDescription
GetExtensions
GetPaintValueSupported
System.IO
Stream
LoadFromStream
PaintValueEventArgs
PaintValue
colorUI
CELLS_ACROSS
CELLS_DOWN
CELLS_CUSTOM
CELL_SIZE
MARGIN
staticCells
staticColors
selectedColor
customColors
EventHandler
onPicked
get_CustomColors
get_FocusedCell
get_SelectedColor
set_SelectedColor
add_Picked
remove_Picked
CreateAccessibilityInstance
EventArgs
OnPicked
Rectangle
FillRectWithCellBounds
GetCellFromColor
GetColorFromCell
GetCell2DFromLocationMouse
GetCellFromLocationMouse
Get1DFrom2D
Get2DFrom1D
InvalidateSelection
InvalidateFocus
IsInputKey
LaunchDialog
OnGotFocus
KeyEventArgs
OnKeyDown
OnLostFocus
MouseEventArgs
OnMouseDown
OnMouseMove
OnMouseUp
PaintEventArgs
OnPaint
Graphics
ProcessDialogKey
SetFocus
CustomColors
FocusedCell
SelectedColor
Picked
get_ColorPalette
GetChildCount
GetChild
HitTest
parent
get_Bounds
get_Name
get_Parent
AccessibleRole
get_Role
AccessibleStates
get_State
get_Value
Bounds
Parent
editor
System.Windows.Forms.Design
IWindowsFormsEditorService
tabControl
TabPage
systemTabPage
commonTabPage
paletteTabPage
lbSystem
lbCommon
systemColorConstants
colorConstants
commonHeightSet
systemHeightSet
get_ColorValues
set_CustomColors
get_EditorService
get_SystemColorValues
AdjustColorUIHeight
AdjustListBoxItemHeight
GetBestColor
GetConstants
InitializeComponent
OnFontChanged
OnListClick
DrawItemEventArgs
OnListDrawItem
OnListKeyDown
OnPalettePick
OnTabControlResize
OnTabControlSelChange
ColorValues
EditorService
SystemColorValues
COLOR_HUE
COLOR_SAT
COLOR_LUM
COLOR_RED
COLOR_GREEN
COLOR_BLUE
COLOR_ADD
COLOR_MIX
hInstance
get_Instance
get_Options
Dispose
HookProc
Instance
Options
Compare
contentUI
RadioButton
topLeft
topCenter
topRight
middleLeft
middleCenter
middleRight
bottomLeft
bottomCenter
bottomRight
ContentAlignment
get_Align
set_Align
get_ShowFocusCues
InitComponent
OptionClick
get_CheckedControl
set_CheckedControl
ShowFocusCues
CheckedControl
cursorUI
get_IsDropDownResizable
IsDropDownResizable
TypeConverter
cursorConverter
OnClick
OnDrawItem
_toolboxService
IDesignerHost
ISelectionService
_selectionService
ArrayList
_filter
IDesigner
_filterDesigner
IToolboxUser
_toolboxUser
Hashtable
_attributeHash
get_DesignerHost
ICollection
get_Filter
get_ToolboxUser
RefreshEventArgs
OnTypeDescriptorRefresh
AttributeCollection
GetDesignerAttributes
RecurseDesignerTree
OnDesignerDisposed
OnSelectionChanged
Update
System.IDisposable.Dispose
DesignerHost
Filter
ToolboxUser
FontDialog
fontDialog
FontFamily
FontStyle
DrawFontSample
EM_GETSEL
EM_SETSEL
EM_GETRECT
EM_SETRECT
EM_SETRECTNP
EM_SCROLL
EM_LINESCROLL
EM_SCROLLCARET
EM_GETMODIFY
EM_SETMODIFY
EM_GETLINECOUNT
EM_LINEINDEX
EM_SETHANDLE
EM_GETHANDLE
EM_GETTHUMB
EM_LINELENGTH
EM_REPLACESEL
EM_GETLINE
EM_LIMITTEXT
EM_CANUNDO
EM_UNDO
EM_FMTLINES
EM_LINEFROMCHAR
EM_SETTABSTOPS
EM_SETPASSWORDCHAR
EM_EMPTYUNDOBUFFER
EM_GETFIRSTVISIBLELINE
EM_SETREADONLY
EM_SETWORDBREAKPROC
EM_GETWORDBREAKPROC
EM_GETPASSWORDCHAR
EM_SETMARGINS
EM_GETMARGINS
EM_SETLIMITTEXT
EM_GETLIMITTEXT
EM_POSFROMCHAR
EM_CHARFROMPOS
EC_LEFTMARGIN
EC_RIGHTMARGIN
EC_USEFONTINFO
IDCANCEL
IDABORT
IDRETRY
IDIGNORE
IDCLOSE
IDHELP
WM_INITDIALOG
SWP_NOSIZE
SWP_NOMOVE
SWP_NOZORDER
SWP_NOREDRAW
SWP_NOACTIVATE
SWP_FRAMECHANGED
SWP_SHOWWINDOW
SWP_HIDEWINDOW
SWP_NOCOPYBITS
SWP_NOOWNERZORDER
SWP_NOSENDCHANGING
SWP_DRAWFRAME
SWP_NOREPOSITION
SWP_DEFERERASE
SWP_ASYNCWINDOWPOS
WM_COMMAND
CC_FULLOPEN
CC_PREVENTFULLOPEN
CC_SHOWHELP
CC_ENABLEHOOK
CC_ENABLETEMPLATE
CC_ENABLETEMPLATEHANDLE
CC_SOLIDCOLOR
CC_ANYCOLOR
InvalidIntPtr
SendDlgItemMessage
GetDlgItem
EnableWindow
SetWindowPos
GetDlgItemInt
PostMessage
MAKELONG
MAKELPARAM
HIWORD
LOWORD
SignedHIWORD
SignedLOWORD
lstrlen
RegisterWindowMessage
IDesignerEventService
_designerEventService
_globalCreators
_designerCreators
_lastMergedHost
_lastMergedCreators
_lastState
_domainObject
AppDomain
_domain
System.Runtime.Remoting.Lifetime
ClientSponsor
_domainObjectSponsor
CategoryNameCollection
get_CategoryNames
get_SelectedCategory
set_SelectedCategory
get_SelectedItemContainer
set_SelectedItemContainer
CreateItemContainer
IDataObject
FilterChanged
GetCreatorCollection
GetFilterSupport
GetItemContainers
GetToolboxItem
System.Reflection
Assembly
GetToolboxItems
AssemblyName
IsItemContainer
IsItemContainerSupported
OnDesignerInfoChanged
Refresh
SelectedItemContainerUsed
SetCursor
UnloadToolboxItems
System.Drawing.Design.IToolboxService.get_CategoryNames
System.Drawing.Design.IToolboxService.get_SelectedCategory
System.Drawing.Design.IToolboxService.set_SelectedCategory
ToolboxItemCreatorCallback
System.Drawing.Design.IToolboxService.AddCreator
AddCreator
System.Drawing.Design.IToolboxService.AddLinkedToolboxItem
AddLinkedToolboxItem
System.Drawing.Design.IToolboxService.AddToolboxItem
AddToolboxItem
System.Drawing.Design.IToolboxService.DeserializeToolboxItem
DeserializeToolboxItem
System.Drawing.Design.IToolboxService.GetSelectedToolboxItem
GetSelectedToolboxItem
ToolboxItemCollection
System.Drawing.Design.IToolboxService.GetToolboxItems
System.Drawing.Design.IToolboxService.IsSupported
IsSupported
System.Drawing.Design.IToolboxService.IsToolboxItem
IsToolboxItem
System.Drawing.Design.IToolboxService.Refresh
System.Drawing.Design.IToolboxService.RemoveCreator
RemoveCreator
System.Drawing.Design.IToolboxService.RemoveToolboxItem
RemoveToolboxItem
System.Drawing.Design.IToolboxService.SelectedToolboxItemUsed
SelectedToolboxItemUsed
System.Drawing.Design.IToolboxService.SerializeToolboxItem
SerializeToolboxItem
System.Drawing.Design.IToolboxService.SetCursor
System.Drawing.Design.IToolboxService.SetSelectedToolboxItem
SetSelectedToolboxItem
System.ComponentModel.Design.IComponentDiscoveryService.GetComponentTypes
GetComponentTypes
CategoryNames
SelectedCategory
SelectedItemContainer
System.Drawing.Design.IToolboxService.CategoryNames
System.Drawing.Design.IToolboxService.SelectedCategory
value__
NotSupported
Supported
Custom
_callback
_format
Create
get_Format
Format
_localClipboardFormat
_itemClipboardFormat
_hashClipboardFormat
_serializationFormats
_serializationValues
_clipboardVersion
_hashCode
_toolboxItem
_dataObject
SerializationInfo
StreamingContext
get_IsCreated
get_IsTransient
get_ToolboxData
UpdateFilter
ContainsFormat
Equals
GetFilter
GetHashCode
GetObjectData
MergeFilter
System.Runtime.Serialization.ISerializable.GetObjectData
IsCreated
IsTransient
ToolboxData
_exceptionString
IComponent
CreateComponentsCore
_assemblyNameKey
_streamKey
System.Runtime.Serialization.Formatters.Binary
BinaryFormatter
_formatter
get_ToolboxItem
_assemblies
_namePart
BindToType
OBJID_CLIENT
System.Runtime.InteropServices
HandleRef
ClientToScreen
ScreenToClient
GetFocus
NotifyWinEvent
System.Runtime.CompilerServices
RuntimeCompatibilityAttribute
AssemblyKeyFileAttribute
AssemblyDelaySignAttribute
NeutralResourcesLanguageAttribute
SatelliteContractVersionAttribute
AssemblyInformationalVersionAttribute
AssemblyFileVersionAttribute
AssemblyVersionAttribute
AssemblyCopyrightAttribute
AssemblyProductAttribute
AssemblyCompanyAttribute
AssemblyDefaultAliasAttribute
AssemblyDescriptionAttribute
AssemblyTitleAttribute
CLSCompliantAttribute
ComVisibleAttribute
System.Diagnostics
DebuggableAttribute
DebuggingModes
CompilationRelaxationsAttribute
AttributeUsageAttribute
AttributeTargets
description
set_DescriptionValue
category
System.Threading
Interlocked
CompareExchange
GetType
get_Assembly
Monitor
ParamArrayAttribute
String
get_Length
Substring
Concat
get_CurrentCulture
IFormatProvider
System.Security.Permissions
SecurityPermissionAttribute
SecurityAction
extensions
context
provider
RuntimeTypeHandle
GetTypeFromHandle
GetService
OpenFileDialog
Activator
BindingFlags
Binder
CreateInstance
IsInstanceOfType
set_Filter
CommonDialog
DialogResult
ShowDialog
get_FileName
FileStream
FileMode
FileAccess
FileShare
IntPtr
op_Inequality
AddRange
ToArray
stream
MemoryStream
FromStream
get_Width
set_Width
get_Height
set_Height
get_Graphics
SystemPens
get_WindowFrame
DrawRectangle
DrawImage
.cctor
PermissionSetAttribute
Bitmap
DropDownControl
SolidBrush
FillRectangle
ControlStyles
SetStyle
SystemColors
get_Control
set_BackColor
set_Size
ColorTranslator
FromOle
Delegate
Combine
Remove
Invoke
across
Inflate
Invalidate
get_Handle
keyData
customIndex
CloseDropDown
get_Color
Component
get_KeyCode
MouseButtons
get_Button
Contains
get_BackColor
get_ClientRectangle
get_ControlText
ControlPaint
ButtonBorderStyle
DrawBorder
get_Focused
DrawFocusRectangle
newFocus
<PrivateImplementationDetails>{89757899-423F-490E-B04A-72754CC2C429}
CompilerGeneratedAttribute
ValueType
__StaticArrayInitTypeSize=192
$$method0x600011b-1
RuntimeHelpers
RuntimeFieldHandle
InitializeArray
get_Owner
ToString
get_White
get_Size
GetTabRect
get_Font
set_ItemHeight
ToArgb
enumType
PropertyInfo
GetProperties
get_PropertyType
MethodInfo
GetGetMethod
MethodBase
MethodAttributes
get_Attributes
GetValue
set_AccessibleName
TabPageCollection
get_TabPages
set_TabStop
set_SelectedTab
add_SelectedIndexChanged
DockStyle
set_Dock
add_Resize
DrawMode
set_DrawMode
BorderStyle
set_BorderStyle
set_IntegralHeight
set_Sorted
add_Click
DrawItemEventHandler
add_DrawItem
KeyEventHandler
add_KeyDown
add_FontChanged
ObjectCollection
get_Items
ControlCollection
get_Controls
sender
get_SelectedItem
get_Index
get_Item
DrawBackground
get_WindowText
get_ForeColor
DrawString
SetBounds
set_Bounds
set_Location
get_SelectedTab
System.Windows.Forms.Layout
ArrangedElementCollection
get_Count
get_SelectedIndex
set_SelectedItem
ListControl
Module
get_Module
GetManifestResourceStream
get_Position
Marshal
AllocHGlobal
disposing
FreeHGlobal
wParam
lParam
op_Explicit
set_Color
Boolean
FromArgb
get_InvariantCulture
GetHue
GetSaturation
GetBrightness
get_Checked
set_Checked
set_ForeColor
set_TabIndex
set_Text
Appearance
set_Appearance
AnchorStyles
set_Anchor
get_TabIndex
get_IsHandleCreated
Cursors
Cursor
get_Default
TypeDescriptor
GetConverter
GetStandardValuesSupported
GetStandardValues
IEnumerable
IEnumerator
GetEnumerator
get_Current
MoveNext
ConvertToString
SystemBrushes
DrawStretched
set_SelectedIndex
toolboxService
add_SelectionChanged
get_RootComponent
add_Disposed
RefreshEventHandler
add_Refreshed
get_ComponentChanged
designer
ArgumentNullException
ITreeDesigner
GetDesigner
get_Values
Attribute
CopyTo
GetAttributes
get_TypeId
set_Item
IServiceContainer
RemoveService
get_PrimarySelection
ToolboxItemFilterAttribute
ToolboxItemFilterType
get_FilterType
remove_SelectionChanged
remove_Disposed
remove_Refreshed
set_ShowApply
set_ShowColor
set_AllowVerticalFonts
set_Font
op_Equality
get_ActiveCaption
get_Right
get_Bottom
DrawLine
fontFamily
fontStyle
GraphicsUnit
get_ActiveCaptionText
RectangleF
op_Implicit
DrawIcon
System.Drawing.Imaging
Metafile
DllImportAttribute
user32.dll
nIDDlgItem
enable
hWndInsertAfter
signed
wparam
lparam
kernel32.dll
StructLayoutAttribute
LayoutKind
dataObject
itemFilter
targetFilter
get_FilterString
categoryName
toolType
nonPublic
get_IsPublic
get_IsNestedPublic
IsAssignableFrom
get_IsAbstract
ToolboxItemAttribute
IsDefaultAttribute
get_ToolboxItemType
ConstructorInfo
GetConstructor
Initialize
get_ContainsGenericParameters
newCodeBase
throwOnError
get_GlobalAssemblyCache
GetName
set_CodeBase
GetTypes
IContainer
set_AssemblyName
CreateDomain
get_FullName
CreateInstanceAndUnwrap
TimeSpan
Register
Deserialize
GetDataPresent
container
AddService
GetToolSupported
get_ActiveDesigner
get_Cross
set_Current
Unload
creator
format
toolboxItem
serializedObject
DataObject
filterAttributes
RemoveAt
designerHost
baseType
ReadOnlyCollectionBase
get_CodeBase
get_LocalPath
LoadFrom
ArgumentException
ReflectionTypeLoadException
Exception
get_LoaderExceptions
get_Message
Serialize
GetBuffer
FileNotFoundException
BadImageFormatException
IOException
callback
SerializableAttribute
SetData
get_DisplayName
get_AssemblyName
get_TypeName
BinaryWriter
creators
GetData
BinaryReader
ReadInt16
ReadString
GetFormats
AddValue
exceptionString
InvalidOperationException
get_Binder
set_Binder
assemblyName
typeName
StartsWith
Exists
System.Security
SuppressUnmanagedCodeSecurityAttribute
InAttribute
OutAttribute
winEvent
objType
System.Drawing.Design.SR.resources
System.Drawing.Design.colordlg.data
IJruL)
(]b,e,
=t]o-~^
System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Security.Permissions.SecurityPermissionFlag, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Security.Permissions.PermissionSetAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
FullTrust
System.Security.Permissions.PermissionSetAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
FullTrust
System.Security.Permissions.PermissionSetAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
FullTrust
System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Security.Permissions.SecurityPermissionFlag, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
WrapNonExceptionThrows
*f:\RedBits\Tools\devdiv\FinalPublicKey.snk
2.0.0.0
2.0.50727.1433
Microsoft Corporation. All rights reserved.
Microsoft
.NET Framework
Microsoft Corporation
System.Drawing.Design.dll
RSDS7=
`BKkfz
System.Drawing.Design.pdb
_CorDllMain
mscoree.dll
visuaMZ
L!This program cannot be run in DOS mode.
BBB^BhB^BgBC
B[BDB_BRichB
`.data
@.reloc
TypeLib
Software
SYSTEM
SECURITY
Hardware
Interface
FileType
Component Categories
PDelete
NoRemove
ForceRemove
P P- P1P2Pb3PE4PW4P4P>!P92P P
!PHKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
FUnRegisterTypeLib
oleaut32.dll
vsansi.dll
Yvsansi.dll
SOFTWARE\Microsoft\VSAnsi
JFPNFP,
\\cpvsbuild\drops\ofc10.0\raw\9122\vsbuilt\retail\bin\i386\vspkgs\cmddef.pdb
SVWeue
WgP_D$
;5hPr3^
s(W3;t
V $9>u5hP
;5hPr_^[UQQS]
hPhgPt$
Vq(;]ti
9 u-MEhP]_9 u
h|hPEE[
3;t/'F
P;unVPP
;tGWtB5
tF;t.P
SVWe3uQ
AAf:'u
AABBf!
PYYu'35(
^3[V3N
_^Ujhp
SVWe3uQ
_^[US39]
;tSSWVju
UQQS39]
SSWVju
;|C{uq9]
3@3U,E
7@PQEP
UQS39]
;tSSWVju
u3@e_^[
UQQS39
VW]tl9C
PPSVjWPP
|3e_^[
u PP6W
P?{u:W
uL9]tGh
PSVSSSWu
9]tLuM
t= PP3u
SVW3P}u;
WSjPVVf3
PEPVVS
39u~7M
G;}|3E
V348hPt$
<0|#<9~
UQ3PPPPPPPMQPPPu
?=u/W-|'
33Mu;uPW=
P;u6EPVVVEPPVuE
P_MF^[
UQS39]
SSu Wju
SSWVju
;tSSWVju
UQS39]
SSu Wju
SSWVju
;tSSWVju
SEPVWu
UQQS39]
;tSSWVju
MVe_^[
Vjt$ Pt$0
t%Vf6f\t
SVQPNu
bulEPh4
P|Q93WtI}
u3_M^[
VWEPEPu
PQ0?hD
VEPEPSu
(|jWuPt,=gPPS+u
sH7;t59E
sH7t4}
s(W3tF
s(W3tF
gPPPPEPP{
VVPEPP\
PPVVP@
P<j2$Pu
PUQQSVW39]
}tg9 t
UQQSVW39}
YYj\u$
;YYtsh
;t&E;t U
ZYQRhgPL$
t)3I;M
4 QPBu3_^[]
Pu^EPPEPSh
P^[Ul$
E@E|EPMT33}8}\EH$
M`MdMhu EHE|E|Pj
E,0E|+E0ul
M\u#EPE
@lhPEXuWtSuT3I
P3fu0=lhP
EHPYEx
thP3;t
EluQuT
PEhphP;t
Elu EHE|E|Pj
P;Elt'39{
P3thP;
u<M@9H
u4;p4u/u0bu8Y
ExYu\V
PEhphP;t
Ex9}xu
EHExExPj
PEdExExM|
M`MxMdMHQj
Ex_^[p
xhPY?u<hPt3
u7WPSt
u&WVSu
PhhPhhPt$
SVWeEh
_^[Ujh
SVWeEp
|hPth(HPZY
h2HPDY
hP#|hPyhP
lstrlenW
GetModuleFileNameW
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
DisableThreadLibraryCalls
InterlockedIncrement
InterlockedDecrement
MultiByteToWideChar
lstrlenA
GetShortPathNameA
GetModuleHandleA
GetModuleFileNameA
WideCharToMultiByte
FreeLibrary
SizeofResource
LoadResource
FindResourceA
LoadLibraryExA
GetLastError
lstrcmpiA
lstrcpynA
IsDBCSLeadByte
CloseHandle
ReadFile
GetFileSize
CreateFileA
lstrcpyA
lstrcatA
GetProcAddress
LoadLibraryA
LocalAlloc
InterlockedExchange
GetVersionExA
RaiseException
KERNEL32.dll
CharNextA
USER32.dll
RegDeleteKeyA
RegCreateKeyExA
RegDeleteValueA
RegCloseKey
RegOpenKeyExA
RegSetValueExA
RegQueryInfoKeyA
RegEnumKeyExA
RegQueryValueExA
ADVAPI32.dll
CoCreateInstance
CoTaskMemFree
CoTaskMemAlloc
CoTaskMemRealloc
StringFromGUID2
ole32.dll
OLEAUT32.dll
??3@YAXPAX@Z
_except_handler3
realloc
??2@YAPAXI@Z
wcscat
_wmakepath
_wsplitpath
swprintf
wcschr
wcslen
_initterm
malloc
_adjust_fdiv
MSVCR70.dll
__dllonexit
_onexit
memset
cmddef.dll
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
VSDllRegisterServer
VSDllUnregisterServer
P=L9o<
hfP`PPXfP`PPHfP`PP8fP`PP(fP`PP
fP`PPeP`PPeP`PPeP`PPeP`PPeP`PPeP`PPeP`PPeP`PPlePxPPTePxPPDePxPP4ePPP(ePPP
ePPPdPPPdPPPdPPPdPPPdPPPdPPPdPPPdPPPxdPPPldPPPTdPPP@dPPP,dPPP
dPPPcPPPcPPPcPPPcPPPcPPPcPPP|cPPPlcPPP`cPPPTcPPPDcPPP8cPPP$cPPP
cPPPbPPPbPPPbPPPbPPPbPPPbPPPbPPPtbPPPTbPPPDbPPP4bPPP$bPPP
bPPPaPPPaPPPaPPPaPPPaPPPaPPPaPPPpaPPPXaPPPDaPPP,aPPP
aPPP`PPP`PPP`PPP`PPP`PPP`PPPt`PPP``PPPL`PPP8`PPP(`PPP
`PPP_PPP_PPP_PPP_PPP_PPP_PPP_PPP|_PPPp_PPPd_PPPX_PPPL_PPP@_PPP4_PPP(_PPP
_PPP^PPP^PPP^PPP^PPP^PPP^PPP^PPPd^PPPP^PPP<^PPP,^PPP
^PPP]PPP]PPP]PPP]PPP]PPP]PPP]PPPx]PPPh]PPPX]PPPL]PPP@]PPP4]PPP(]PPP
]PPP\PPP\PPP\PPP\PPP\PPP\PPPp\PPP`\PPPT\PPPD\PPP0\PPP \PPP
\PPP[PPP[PPP[PPP[PPP[PPP[PPP[PPP[PPP[PPPp[PPPd[PPPX[PPP@[PPP0[PPP
[PPPZPPPZPPPZPPPZPPPZPPPZPPPZPPPZPPPZPPPtZPPP`ZPPPTZPPPHZPPP8ZPPP,ZPPP
ZPPPYPPPYPPPYPPPYPPPYPPPYPPPtYPPPhYPPPTYPPPDYPPP0YPPP YPPP
YPPPXPPPXPPPXPPPXPPPXPPPXPPPXPPP|XPPPhXPPP\XPPPPXPPPDXPPP8XPPP XP
OpenPrinterW
DocumentPropertiesW
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
wsprintfW
wvsprintfW
WinHelpW
VkKeyScanW
UnregisterClassW
TranslateAcceleratorW
TabbedTextOutW
SystemParametersInfoW
SetWindowTextW
SetWindowsHookExW
SetWindowLongW
SetPropW
SetMenuItemInfoW
SetDlgItemTextW
SetClassLongW
SendNotifyMessageW
SendMessageW
SendDlgItemMessageW
RemovePropW
RegisterWindowMessageW
RegisterClipboardFormatW
RegisterClassExW
RegisterClassW
PostThreadMessageW
PostMessageW
PeekMessageW
OemToCharW
ModifyMenuW
MessageBoxIndirectW
MessageBoxW
MapVirtualKeyW
LoadStringW
LoadMenuW
LoadMenuIndirectW
LoadImageW
LoadIconW
LoadCursorW
LoadBitmapW
LoadAcceleratorsW
IsDialogMessageW
IsCharAlphaW
IsCharAlphaNumericW
InsertMenuW
GrayStringW
GetWindowTextW
GetWindowTextLengthW
GetWindowLongW
GetTabbedTextExtentW
GetPropW
GetMessageW
GetDlgItemTextW
GetClassNameW
GetClassLongW
GetClassInfoExW
GetClassInfoW
FindWindowW
DrawTextW
DrawTextExW
DispatchMessageW
DialogBoxParamW
DialogBoxIndirectParamW
DefWindowProcW
DefMDIChildProcW
DefFrameProcW
DefDlgProcW
DdeInitializeW
DdeCreateStringHandleW
CreateWindowExW
CreateMDIWindowW
CreateDialogParamW
CreateDialogIndirectParamW
CreateAcceleratorTableW
CopyAcceleratorTableW
CharUpperW
CharUpperBuffW
CharToOemW
CharPrevW
CharNextW
CharLowerW
CharLowerBuffW
CallWindowProcW
AppendMenuW
SHGetPathFromIDListW
SHGetFileInfoW
ShellExecuteExW
Shell_NotifyIconW
SHBrowseForFolderW
FindExecutableW
ExtractIconExW
ExtractIconW
ExtractAssociatedIconW
DragQueryFileW
StgCreateDocfile
WNetGetConnectionW
WritePrivateProfileStringW
VerLanguageNameW
SetLocaleInfoW
SetFileAttributesW
SetEnvironmentVariableW
SetCurrentDirectoryW
SearchPathW
RemoveDirectoryW
OutputDebugStringW
MoveFileW
MoveFileExW
lstrlenW
lstrcpyW
lstrcpynW
lstrcmpW
lstrcmpiW
lstrcatW
LoadLibraryW
LoadLibraryExW
LCMapStringW
IsBadStringPtrW
GlobalGetAtomNameW
GlobalFindAtomW
GlobalAddAtomW
GetVolumeInformationW
GetVersionExW
GetTimeFormatW
GetTempPathW
GetTempFileNameW
GetSystemDirectoryW
GetStringTypeExW
GetShortPathNameW
GetProfileIntW
GetPrivateProfileStringW
GetPrivateProfileIntW
GetNumberFormatW
GetModuleHandleW
GetModuleFileNameW
GetLocaleInfoW
GetFullPathNameW
GetFileAttributesExW
GetFileAttributesW
GetEnvironmentStringsW
GetEnvironmentVariableW
GetDriveTypeW
GetDiskFreeSpaceExW
GetDateFormatW
GetCurrencyFormatW
GetCurrentDirectoryW
GetComputerNameW
FreeEnvironmentStringsW
FormatMessageW
FindResourceW
FindNextFileW
FindFirstFileW
FindFirstChangeNotificationW
FatalAppExitW
ExpandEnvironmentStringsW
DeleteFileW
CreateSemaphoreW
CreateProcessW
CreateMutexW
CreateFileW
CreateFileMappingW
CreateEventW
CreateDirectoryW
CreateDirectoryExW
CopyFileW
CompareStringW
StartDocW
ResetDCW
GetTextMetricsW
GetTextFaceW
GetTextExtentExPointW
GetTextExtentPointW
GetTextExtentPoint32W
GetOutlineTextMetricsW
GetObjectW
GetKerningPairsW
GetGlyphOutlineW
GetCharWidthW
GetCharWidthFloatW
GetCharABCWidthsW
GetCharABCWidthsFloatW
ExtTextOutW
CreateMetaFileW
CreateICW
CreateFontW
CreateFontIndirectW
CreateEnhMetaFileW
CreateDCW
CopyMetaFileW
PrintDlgW
GetSaveFileNameW
GetOpenFileNameW
GetFileTitleW
ChooseFontW
ChooseColorW
PropertySheetW
ImageList_LoadImageW
CreatePropertySheetPageW
RegSetValueW
RegSetValueExW
RegQueryValueW
RegQueryValueExW
RegQueryInfoKeyW
RegOpenKeyW
RegOpenKeyExW
RegEnumKeyExW
RegEnumValueW
RegEnumKeyW
RegDeleteValueW
RegDeleteKeyW
RegCreateKeyW
RegCreateKeyExW
GetUserNameW
winspool.drv
winmm.dll
version.dll
user32.dll
url.dll
shell32.dll
rpcrt4.dll
rasapi32.dll
opengl32.dll
oledlg.dll
ole32.dll
mswsock.dll
msvfw32.dll
mpr.dll
lz32.dll
kernel32.dll
imm32.dll
gdi32.dll
comdlg32.dll
comctl32.dll
avifil32.dll
avicap32.dll
advapi32.dll
%REGROOTBEGIN%
NoRemove Packages
ForceRemove %MENU_PKG_GUID% = s 'Commands definition Package'
{
val InprocServer32 = s '%MODULE%'
ForceRemove SatelliteDll
{
val DllName = s 'cmddefui.dll'
val Path = s '%MODULE_DIR%'
}
}
NoRemove Menus
ForceRemove val %MENU_PKG_GUID% = s '%MENU_RES%'
%REGROOTEND%
11111111@2D2H2L2P2T2X2\2222222222224383<3@3D3H3L3P3T3X3\3`3d3h3l3t3x384@4H4P4X4`4h4p4x444444444444445555555555555555(6,6064686<6@6D66666666666666666666
7777777
8Y8b8z8888A9]999D::::::::::
;q;;;;$<T<Z<_<l<<<<<
=H=Z=l==
><>A>d>
??????
"0J0g00000T1~1111
22n33333%444
5#5:555
616h6666
7D7Q7777
8(818>888888
<7<V<t<<<<===<>m>z>>7?Q??????????????
0"0:00*1r111
2O2y222#33333
6+6G6s6y6666
7>7S7[7a7
8*818V8u88
9%9C:R:\:f:}:;;:<d<<<<<<<<<&=<=s===0>P>o>>>>>
?!?R????????
0$0=0H0h00
1 161E1l1y111111*2>2T2a2h2s2z22
363I333333333333333
4"4(4I4[44440565<5E5J5O5t5z5555555555
6,636l666666F7v777777777
8 8)838
0 0$0(0,0004080<0@0D0H0L0`0h0p0x00000000000000000
1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|111111111111111111111111111111111
2 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2d2h2l2p2t2x2|222222222222222222222222222222222
3 3$3(3,3034383<3@3D3H3L3P3T3X3\3`3d3h3l3p3t3x3|333333333333333333333333333333333
4 4$4(4,4044484<4@4D4H4L4P4T4X4\4`4d4h4l4p4t4x4|444444444444444444444444444444444
5 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|555555555555555555555555555555555
6 6$6(6,6064686<6@6D6H6L6P6T6X6\6`6d6h6l6p6t6x6|666666666666666666666666666666666
7 7$7(7,7074787<7@7D7H7L7P7T7X7\7`7d7h7l7p7t7x7|777777777777777777777
TNPPOA
kmsOAMSOFFICE9.0
0*0*0*
`T`T`T`T0*
visua18:35:41 - Startup
18:35:42 - Bound UDP socket waiting for commands, error: 0
18:35:42 - Nothing received yet
18:35:43 - Nothing received yet
18:35:44 - Nothing received yet
18:35:45 - Nothing received yet
18:35:46 - Nothing received yet
18:35:47 - Nothing received yet
18:35:48 - Nothing received yet
18:35:49 - Nothing received yet
18:35:51 - Nothing received yet
18:35:52 - Nothing received yet
18:35:53 - Nothing received yet
18:35:54 - Nothing received yet
visuaMZ
L!This program cannot be run in DOS mode.
`.rsrc
@.reloc
'}JQ|g
Y+\\-%
Gh7<D*pPw9
Wq?pL h7
hQ1EyT
f:\VS70Builds\5077\vsbuilt\retail\bin\i386\msosec.pdb
v1.1.4324
#Strings
<Module>
msosec.dll
mscorlib
System
Object
AssemblyRef
System.Security.Policy
IMembershipCondition
System.Security
ISecurityEncodable
ISecurityPolicyEncodable
OfficeDocumentMembershipCondition
Microsoft.Office.Security.Policy
OfficeDocument
VsAssemblyVer
NdpAssemblyVer
MicrosoftVisualBasicVsa
MicrosoftJScript
MicrosoftVisualBasicVsaDt
Evidence
System.Security.Policy.IMembershipCondition.Check
System.Security.Policy.IMembershipCondition.Copy
System.Security.Policy.IMembershipCondition.Equals
Equals
System.Security.Policy.IMembershipCondition.ToString
ToString
SecurityElement
System.Security.ISecurityEncodable.ToXml
System.Security.ISecurityEncodable.FromXml
FromXml
PolicyLevel
System.Security.ISecurityPolicyEncodable.ToXml
System.Security.ISecurityPolicyEncodable.FromXml
System.Reflection
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyDescriptionAttribute
AssemblyTitleAttribute
AssemblyCompanyAttribute
AssemblyKeyFileAttribute
AssemblyDelaySignAttribute
AssemblyFileVersionAttribute
AssemblyVersionAttribute
msosec
SerializableAttribute
rootEvidence
System.Collections
IEnumerator
GetHostEnumerator
get_Current
MoveNext
GetType
String
LastIndexOf
Substring
get_AssemblyQualifiedName
Escape
AddAttribute
ArgumentException
Attribute
op_Inequality
(]b,e,
=t]o-~^
#Visual Studio .NET Tools for Office
8Copyright
Microsoft Corporation. All rights reserved.
Custom membership condition
Microsoft Corporation
<f:\VS70Builds\5077\vs\src\common\security\FinalPublicKey.snk
7.10.5077.0
_CorDllMain
mscoree.dll
visuaL
PO :i
PROGRA~1
NetTime
^Gh^Gh
NetTime.exe
^Gh^Gh
C:\Program Files\NetTime\NetTime.exe
base-xp
TJu'x};
TJu'x};
yrkxeP:#
zgMB6)
{vlaWLB7-"
vr^J6"
'.49>ADFFE
D}A|=|8{2{,{%{
|zwuspnksz
}{xvtromt{
}{ywtrpnu}
}{yxvtrpw~
}{zxvusqx
~|{yxvusz
~|{zxwut{
~}|{yxwv}
~}|{zzyx~
visua[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-8964
visuaMZ
L!This program cannot be run in DOS mode.
`.rdata
@.data
@.NewSec
RR G n
^UQQ=`W@
EPEPV@
UQ=`W@
ADiS3B+
QSUVWD$
u8-TR@
tQ3;tKxP@
_^][Y_^][Y
_^]3[Y
UQV5lR@
SVW3jD^V3ESGPE`
]X]P]D]\]H]T]@]LE0
t3SE0PEPPEXP
E<trEx
t3SE0PE\PEDP
Ex t3SE0PETPEHP
?"E|t#
]tE PEPutSu`uLSSu|S
u\9]Xt
uX9]Tt
uTu$Ex
9]<tEW@
j(hdW@
u\9]Dt
uD9]Pt
uP9]Xt
uX9]Tt
uT9]Ht
9]tu4W
t8;Yv%>\t
E|Y+Y\
Etj<^VESP
EEtEEpE
9]<t:W@
j(hdW@
u|S5V@
E@_^[d
=V5lW@
I9\tPP
.\u%\u
SVW339
YY?Vt$
VW=DR@
]UQtW@
EEPMQUR
Information
Couldn't open the file!
C:/exp/
[File]
[Sub-Dir]
o%}oooooEo%o
[}#}9}S}P}%[}}
}>}My}3}]}#C}8}k
}h}8});}
'}&}O=}
}@}$)}3}[}
D}U6}=}U=}p'}
memset
MSVCRT.dll
GetModuleHandleA
HeapCreate
HeapDestroy
ExitProcess
KERNEL32.dll
memcpy
_stricmp
strncmp
_strnicmp
strcmp
memmove
strlen
strcpy
strcat
strncpy
GetCurrentThreadId
GetTickCount
HeapAlloc
HeapFree
WriteFile
CloseHandle
CreateFileA
GetFileSize
ReadFile
SetFilePointer
InitializeCriticalSection
GetModuleFileNameA
GetCurrentProcess
DuplicateHandle
CreatePipe
GetStdHandle
CreateProcessA
WaitForSingleObject
EnterCriticalSection
LeaveCriticalSection
GetCurrentProcessId
GetDriveTypeA
FindFirstFileA
FindClose
GetFileAttributesA
CreateDirectoryA
GetLastError
FindNextFileA
SetFileAttributesA
HeapReAlloc
InitCommonControls
COMCTL32.DLL
MessageBoxA
GetWindowThreadProcessId
IsWindowVisible
IsWindowEnabled
GetForegroundWindow
EnableWindow
EnumWindows
USER32.DLL
ShellExecuteExA
SHELL32.DLL
CoInitialize
OLE32.DLL
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity
version="1.0.0.0"
processorArchitecture="X86"
name="CompanyName.ProductName.YourApp"
type="win32" />
<description></description>
<dependency>
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
processorArchitecture="X86"
publicKeyToken="6595b64144ccf1df"
language="*" />
</dependentAssembly>
</dependency>
</assembly>
11CK3R1Z@HR1Z@=
uR1ZS1[@H3CKAI@R1Z@H=
uAI3S1[CKR1Z@Q1YBJR1Z=
uQ1YQ1Y
R1ZAI0TS1[BJ0S1[(R1Z(
mAI0(CK0fR1Z
visuavisua
visua# Copyright (C) 2010-2015 Cuckoo Foundation, Optiv, Inc. (brad.spengler@optiv.com)
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
import os
import logging
import random
import subprocess
import platform
import urllib
import base64
from time import time
from ctypes import byref, c_ulong, create_string_buffer, c_int, sizeof
from shutil import copy
from lib.common.constants import PIPE, PATHS, SHUTDOWN_MUTEX, TERMINATE_EVENT, LOGSERVER_PREFIX
from lib.common.constants import CUCKOOMON32_NAME, CUCKOOMON64_NAME, LOADER32_NAME, LOADER64_NAME, CAWSMON32_NAME, CAWSMON64_NAME
from lib.common.defines import ULONG_PTR
from lib.common.defines import KERNEL32, NTDLL, SYSTEM_INFO, STILL_ACTIVE
from lib.common.defines import THREAD_ALL_ACCESS, PROCESS_ALL_ACCESS, TH32CS_SNAPPROCESS
from lib.common.defines import STARTUPINFO, PROCESS_INFORMATION, PROCESSENTRY32
from lib.common.defines import CREATE_NEW_CONSOLE, CREATE_SUSPENDED
from lib.common.defines import MEM_RESERVE, MEM_COMMIT, PAGE_READWRITE
from lib.common.defines import MEMORY_BASIC_INFORMATION
from lib.common.defines import WAIT_TIMEOUT, EVENT_MODIFY_STATE
from lib.common.defines import MEM_IMAGE, MEM_MAPPED, MEM_PRIVATE
from lib.common.defines import GENERIC_READ, GENERIC_WRITE, OPEN_EXISTING
from lib.common.errors import get_error_string
from lib.common.rand import random_string
from lib.common.results import NetlogFile
from lib.core.config import Config
from lib.core.log import LogServer
IOCTL_PID = 0x222008
IOCTL_CUCKOO_PATH = 0x22200C
PATH_KERNEL_DRIVER = "\\\\.\\DriverSSDT"
LOGSERVER_POOL = dict()
ATTEMPTED_APC_INJECTS = dict()
ATTEMPTED_THREAD_INJECTS = dict()
log = logging.getLogger(__name__)
def is_os_64bit():
return platform.machine().endswith('64')
def get_referrer_url(interest):
"""Get a Google referrer URL
@return: URL to be added to the analysis config
"""
if "://" not in interest:
return ""
escapedurl = urllib.quote(interest, '')
itemidx = str(random.randint(1, 30))
vedstr = "0CCEQfj" + base64.urlsafe_b64encode(random_string(random.randint(5, 8) * 3))
eistr = base64.urlsafe_b64encode(random_string(12))
usgstr = "AFQj" + base64.urlsafe_b64encode(random_string(12))
referrer = "http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd={0}&ved={1}&url={2}&ei={3}&usg={4}".format(itemidx, vedstr, escapedurl, eistr, usgstr)
return referrer
class Process:
"""Windows process."""
process_num = 0
# This adds 1 up to 30 times of 20 minutes to the startup
# time of the process, therefore bypassing anti-vm checks
# which check whether the VM has only been up for <10 minutes.
startup_time = random.randint(1, 30) * 20 * 60 * 1000
def __init__(self, pid=0, h_process=0, thread_id=0, h_thread=0, suspended=False):
"""@param pid: PID.
@param h_process: process handle.
@param thread_id: thread id.
@param h_thread: thread handle.
"""
self.pid = pid
self.h_process = h_process
self.thread_id = thread_id
self.h_thread = h_thread
self.suspended = suspended
self.system_info = SYSTEM_INFO()
self.critical = False
def __del__(self):
"""Close open handles."""
if self.h_process and self.h_process != KERNEL32.GetCurrentProcess():
KERNEL32.CloseHandle(self.h_process)
if self.h_thread:
KERNEL32.CloseHandle(self.h_thread)
def get_system_info(self):
"""Get system information."""
KERNEL32.GetSystemInfo(byref(self.system_info))
def open(self):
"""Open a process and/or thread.
@return: operation status.
"""
ret = bool(self.pid or self.thread_id)
if self.pid and not self.h_process:
if self.pid == os.getpid():
self.h_process = KERNEL32.GetCurrentProcess()
else:
self.h_process = KERNEL32.OpenProcess(PROCESS_ALL_ACCESS,
False,
self.pid)
ret = True
if self.thread_id and not self.h_thread:
self.h_thread = KERNEL32.OpenThread(THREAD_ALL_ACCESS,
False,
self.thread_id)
ret = True
return ret
def close(self):
"""Close any open handles.
@return: operation status.
"""
ret = bool(self.h_process or self.h_thread)
NT_SUCCESS = lambda val: val >= 0
if self.h_process:
ret = NT_SUCCESS(KERNEL32.CloseHandle(self.h_process))
self.h_process = None
if self.h_thread:
ret = NT_SUCCESS(KERNEL32.CloseHandle(self.h_thread))
self.h_thread = None
return ret
def exit_code(self):
"""Get process exit code.
@return: exit code value.
"""
if not self.h_process:
self.open()
exit_code = c_ulong(0)
KERNEL32.GetExitCodeProcess(self.h_process, byref(exit_code))
return exit_code.value
def get_filepath(self):
"""Get process image file path.
@return: decoded file path.
"""
if not self.h_process:
self.open()
NT_SUCCESS = lambda val: val >= 0
pbi = create_string_buffer(530)
size = c_int()
# Set return value to signed 32bit integer.
NTDLL.NtQueryInformationProcess.restype = c_int
ret = NTDLL.NtQueryInformationProcess(self.h_process,
27,
byref(pbi),
sizeof(pbi),
byref(size))
if NT_SUCCESS(ret) and size.value > 8:
try:
fbuf = pbi.raw[8:]
fbuf = fbuf[:fbuf.find('\0\0')+1]
return fbuf.decode('utf16', errors="ignore")
except:
return ""
return ""
def is_alive(self):
"""Process is alive?
@return: process status.
"""
return self.exit_code() == STILL_ACTIVE
def set_critical(self):
self.critical = True
def is_critical(self):
"""Determines if process is 'critical' or not, so we can prevent
terminating it
"""
if not self.h_process:
self.open()
if self.critical:
return True
NT_SUCCESS = lambda val: val >= 0
val = c_ulong(0)
retlen = c_ulong(0)
ret = NTDLL.NtQueryInformationProcess(self.h_process, 29, byref(val), sizeof(val), byref(retlen))
if NT_SUCCESS(ret) and val.value:
return True
return False
def get_parent_pid(self):
"""Get the Parent Process ID."""
if not self.h_process:
self.open()
NT_SUCCESS = lambda val: val >= 0
pbi = (ULONG_PTR * 6)()
size = c_ulong()
# Set return value to signed 32bit integer.
NTDLL.NtQueryInformationProcess.restype = c_int
ret = NTDLL.NtQueryInformationProcess(self.h_process,
0,
byref(pbi),
sizeof(pbi),
byref(size))
if NT_SUCCESS(ret) and size.value == sizeof(pbi):
return pbi[5]
return None
def kernel_analyze(self):
"""zer0m0n kernel analysis
"""
log.info("Starting kernel analysis")
log.info("Installing driver")
if is_os_64bit():
sys_file = os.path.join(os.getcwd(), "dll", "zer0m0n_x64.sys")
else:
sys_file = os.path.join(os.getcwd(), "dll", "zer0m0n.sys")
exe_file = os.path.join(os.getcwd(), "dll", "logs_dispatcher.exe")
if not sys_file or not exe_file or not os.path.exists(sys_file) or not os.path.exists(exe_file):
log.warning("No valid zer0m0n files to be used for process with pid %d, injection aborted", self.pid)
return False
exe_name = random_string(6)
service_name = random_string(6)
driver_name = random_string(6)
inf_data = '[Version]\r\nSignature = "$Windows NT$"\r\nClass = "ActivityMonitor"\r\nClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2}\r\nProvider= %Prov%\r\nDriverVer = 22/01/2014,1.0.0.0\r\nCatalogFile = %DriverName%.cat\r\n[DestinationDirs]\r\nDefaultDestDir = 12\r\nMiniFilter.DriverFiles = 12\r\n[DefaultInstall]\r\nOptionDesc = %ServiceDescription%\r\nCopyFiles = MiniFilter.DriverFiles\r\n[DefaultInstall.Services]\r\nAddService = %ServiceName%,,MiniFilter.Service\r\n[DefaultUninstall]\r\nDelFiles = MiniFilter.DriverFiles\r\n[DefaultUninstall.Services]\r\nDelService = %ServiceName%,0x200\r\n[MiniFilter.Service]\r\nDisplayName= %ServiceName%\r\nDescription= %ServiceDescription%\r\nServiceBinary= %12%\\%DriverName%.sys\r\nDependencies = "FltMgr"\r\nServiceType = 2\r\nStartType = 3\r\nErrorControl = 1\r\nLoadOrderGroup = "FSFilter Activity Monitor"\r\nAddReg = MiniFilter.AddRegistry\r\n[MiniFilter.AddRegistry]\r\nHKR,,"DebugFlags",0x00010001 ,0x0\r\nHKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance%\r\nHKR,"Instances\\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude%\r\nHKR,"Instances\\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags%\r\n[MiniFilter.DriverFiles]\r\n%DriverName%.sys\r\n[SourceDisksFiles]\r\n'+driver_name+'.sys = 1,,\r\n[SourceDisksNames]\r\n1 = %DiskId1%,,,\r\n[Strings]\r\n'+'Prov = "'+random_string(8)+'"\r\nServiceDescription = "'+random_string(12)+'"\r\nServiceName = "'+service_name+'"\r\nDriverName = "'+driver_name+'"\r\nDiskId1 = "'+service_name+' Device Installation Disk"\r\nDefaultInstance = "'+service_name+' Instance"\r\nInstance1.Name = "'+service_name+' Instance"\r\nInstance1.Altitude = "370050"\r\nInstance1.Flags = 0x0'
new_inf = os.path.join(os.getcwd(), "dll", "{0}.inf".format(service_name))
new_sys = os.path.join(os.getcwd(), "dll", "{0}.sys".format(driver_name))
copy(sys_file, new_sys)
new_exe = os.path.join(os.getcwd(), "dll", "{0}.exe".format(exe_name))
copy(exe_file, new_exe)
log.info("[-] Driver name : "+new_sys)
log.info("[-] Inf name : "+new_inf)
log.info("[-] Application name : "+new_exe)
log.info("[-] Service : "+service_name)
fh = open(new_inf,"w")
fh.write(inf_data)
fh.close()
os_is_64bit = is_os_64bit()
if os_is_64bit:
wow64 = c_ulong(0)
KERNEL32.Wow64DisableWow64FsRedirection(byref(wow64))
os.system('cmd /c "rundll32 setupapi.dll, InstallHinfSection DefaultInstall 132 '+new_inf+'"')
os.system("net start "+service_name)
si = STARTUPINFO()
si.cb = sizeof(si)
pi = PROCESS_INFORMATION()
cr = CREATE_NEW_CONSOLE
ldp = KERNEL32.CreateProcessA(new_exe, None, None, None, None, cr, None, os.getenv("TEMP"), byref(si), byref(pi))
if not ldp:
if os_is_64bit:
KERNEL32.Wow64RevertWow64FsRedirection(wow64)
log.error("Failed starting "+exe_name+".exe.")
return False
config_path = os.path.join(os.getenv("TEMP"), "%s.ini" % self.pid)
with open(config_path, "w") as config:
cfg = Config("analysis.conf")
config.write("host-ip={0}\n".format(cfg.ip))
config.write("host-port={0}\n".format(cfg.port))
config.write("pipe={0}\n".format(PIPE))
log.info("Sending startup information")
hFile = KERNEL32.CreateFileA(PATH_KERNEL_DRIVER, GENERIC_READ|GENERIC_WRITE,
0, None, OPEN_EXISTING, 0, None)
if os_is_64bit:
KERNEL32.Wow64RevertWow64FsRedirection(wow64)
if hFile:
p = Process(pid=os.getpid())
ppid = p.get_parent_pid()
pid_vboxservice = 0
pid_vboxtray = 0
# get pid of VBoxService.exe and VBoxTray.exe
proc_info = PROCESSENTRY32()
proc_info.dwSize = sizeof(PROCESSENTRY32)
snapshot = KERNEL32.CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
flag = KERNEL32.Process32First(snapshot, byref(proc_info))
while flag:
if proc_info.sz_exeFile == "VBoxService.exe":
log.info("VBoxService.exe found !")
pid_vboxservice = proc_info.th32ProcessID
flag = 0
elif proc_info.sz_exeFile == "VBoxTray.exe":
pid_vboxtray = proc_info.th32ProcessID
log.info("VBoxTray.exe found !")
flag = 0
flag = KERNEL32.Process32Next(snapshot, byref(proc_info))
bytes_returned = c_ulong(0)
msg = str(self.pid)+"_"+str(ppid)+"_"+str(os.getpid())+"_"+str(pi.dwProcessId)+"_"+str(pid_vboxservice)+"_"+str(pid_vboxtray)+'\0'
KERNEL32.DeviceIoControl(hFile, IOCTL_PID, msg, len(msg), None, 0, byref(bytes_returned), None)
msg = os.getcwd()+'\0'
KERNEL32.DeviceIoControl(hFile, IOCTL_CUCKOO_PATH, unicode(msg), len(unicode(msg)), None, 0, byref(bytes_returned), None)
else:
log.warning("Failed to access kernel driver")
return True
def execute(self, path, args=None, suspended=False, kernel_analysis=False):
"""Execute sample process.
@param path: sample path.
@param args: process args.
@param suspended: is suspended.
@return: operation status.
"""
if not os.access(path, os.X_OK):
log.error("Unable to access file at path \"%s\", "
"execution aborted", path)
return False
startup_info = STARTUPINFO()
startup_info.cb = sizeof(startup_info)
# STARTF_USESHOWWINDOW
startup_info.dwFlags = 1
# SW_SHOWNORMAL
startup_info.wShowWindow = 1
process_info = PROCESS_INFORMATION()
arguments = "\"" + path + "\" "
if args:
arguments += args
creation_flags = CREATE_NEW_CONSOLE
if suspended:
self.suspended = True
creation_flags += CREATE_SUSPENDED
created = KERNEL32.CreateProcessA(path,
arguments,
None,
None,
None,
creation_flags,
None,
os.getenv("TEMP"),
byref(startup_info),
byref(process_info))
if created:
self.pid = process_info.dwProcessId
self.h_process = process_info.hProcess
self.thread_id = process_info.dwThreadId
self.h_thread = process_info.hThread
log.info("Successfully executed process from path \"%s\" with "
"arguments \"%s\" with pid %d", path, args or "", self.pid)
if kernel_analysis:
return self.kernel_analyze()
return True
else:
log.error("Failed to execute process from path \"%s\" with "
"arguments \"%s\" (Error: %s)", path, args,
get_error_string(KERNEL32.GetLastError()))
return False
def resume(self):
"""Resume a suspended thread.
@return: operation status.
"""
if not self.suspended:
log.warning("The process with pid %d was not suspended at creation"
% self.pid)
return False
if not self.h_thread:
return False
KERNEL32.Sleep(2000)
if KERNEL32.ResumeThread(self.h_thread) != -1:
self.suspended = False
log.info("Successfully resumed process with pid %d", self.pid)
return True
else:
log.error("Failed to resume process with pid %d", self.pid)
return False
def set_terminate_event(self):
"""Sets the termination event for the process.
"""
if self.h_process == 0:
self.open()
event_name = TERMINATE_EVENT + str(self.pid)
event_handle = KERNEL32.OpenEventA(EVENT_MODIFY_STATE, False, event_name)
if event_handle:
# make sure process is aware of the termination
KERNEL32.SetEvent(event_handle)
KERNEL32.CloseHandle(event_handle)
KERNEL32.Sleep(500)
def terminate(self):
"""Terminate process.
@return: operation status.
"""
if self.h_process == 0:
self.open()
if KERNEL32.TerminateProcess(self.h_process, 1):
log.info("Successfully terminated process with pid %d.", self.pid)
return True
else:
log.error("Failed to terminate process with pid %d.", self.pid)
return False
def is_64bit(self):
"""Determines if a process is 64bit.
@return: True if 64bit, False if not
"""
if self.h_process == 0:
self.open()
try:
val = c_int(0)
ret = KERNEL32.IsWow64Process(self.h_process, byref(val))
if ret and not val.value and is_os_64bit():
return True
except:
pass
return False
def old_inject(self, dll, apc):
arg = KERNEL32.VirtualAllocEx(self.h_process,
None,
len(dll) + 1,
MEM_RESERVE | MEM_COMMIT,
PAGE_READWRITE)
if not arg:
log.error("VirtualAllocEx failed when injecting process with "
"pid %d, injection aborted (Error: %s)",
self.pid, get_error_string(KERNEL32.GetLastError()))
return False
bytes_written = c_int(0)
if not KERNEL32.WriteProcessMemory(self.h_process,
arg,
dll + "\x00",
len(dll) + 1,
byref(bytes_written)):
log.error("WriteProcessMemory failed when injecting process with "
"pid %d, injection aborted (Error: %s)",
self.pid, get_error_string(KERNEL32.GetLastError()))
return False
kernel32_handle = KERNEL32.GetModuleHandleA("kernel32.dll")
load_library = KERNEL32.GetProcAddress(kernel32_handle, "LoadLibraryA")
if apc or self.suspended:
if not self.h_thread:
log.info("No valid thread handle specified for injecting "
"process with pid %d, injection aborted.", self.pid)
return False
if not KERNEL32.QueueUserAPC(load_library, self.h_thread, arg):
log.error("QueueUserAPC failed when injecting process with "
"pid %d (Error: %s)",
self.pid, get_error_string(KERNEL32.GetLastError()))
return False
else:
new_thread_id = c_ulong(0)
thread_handle = KERNEL32.CreateRemoteThread(self.h_process,
None,
0,
load_library,
arg,
0,
byref(new_thread_id))
if not thread_handle:
log.error("CreateRemoteThread failed when injecting process "
"with pid %d (Error: %s)",
self.pid, get_error_string(KERNEL32.GetLastError()))
return False
else:
KERNEL32.CloseHandle(thread_handle)
return True
def check_inject(self):
if not self.pid:
return False
if self.thread_id or self.suspended:
if (self.pid, self.thread_id) in ATTEMPTED_APC_INJECTS:
return False
ATTEMPTED_APC_INJECTS[(self.pid, self.thread_id)] = True
else:
if self.pid in ATTEMPTED_THREAD_INJECTS:
return False
ATTEMPTED_THREAD_INJECTS[self.pid] = True
return True
def inject(self, dll=None, interest=None, nosleepskip=False):
"""Cuckoo DLL injection.
@param dll: Cuckoo DLL path.
@param interest: path to file of interest, handed to cuckoomon config
@param apc: APC use.
"""
global LOGSERVER_POOL
if not self.pid:
return False
thread_id = 0
if self.thread_id:
thread_id = self.thread_id
if not self.is_alive():
log.warning("The process with pid %s is not alive, "
"injection aborted", self.pid)
return False
is_64bit = self.is_64bit()
if not dll:
if is_64bit:
dll = CUCKOOMON64_NAME
else:
dll = CUCKOOMON32_NAME
elif dll == "cawsmon":
if is_64bit:
dll = CAWSMON64_NAME
else:
dll = CAWSMON32_NAME
else:
os.path.join("dll", dll)
dll = os.path.join(os.getcwd(), dll)
if not dll or not os.path.exists(dll):
log.warning("No valid DLL specified to be injected in process "
"with pid %d, injection aborted.", self.pid)
return False
if thread_id or self.suspended:
log.debug("Using QueueUserAPC injection.")
else:
log.debug("Using CreateRemoteThread injection.")
config_path = "C:\\%s.ini" % self.pid
with open(config_path, "w") as config:
cfg = Config("analysis.conf")
cfgoptions = cfg.get_options()
# start the logserver for this monitored process
logserver_path = LOGSERVER_PREFIX + str(self.pid)
if logserver_path not in LOGSERVER_POOL:
LOGSERVER_POOL[logserver_path] = LogServer(cfg.ip, cfg.port, logserver_path)
Process.process_num += 1
firstproc = Process.process_num == 1
config.write("host-ip={0}\n".format(cfg.ip))
config.write("host-port={0}\n".format(cfg.port))
config.write("pipe={0}\n".format(PIPE))
config.write("logserver={0}\n".format(logserver_path))
config.write("results={0}\n".format(PATHS["root"]))
config.write("analyzer={0}\n".format(os.getcwd()))
config.write("first-process={0}\n".format("1" if firstproc else "0"))
config.write("startup-time={0}\n".format(Process.startup_time))
config.write("file-of-interest={0}\n".format(interest))
config.write("shutdown-mutex={0}\n".format(SHUTDOWN_MUTEX))
config.write("terminate-event={0}{1}\n".format(TERMINATE_EVENT, self.pid))
if nosleepskip or ("force-sleepskip" not in cfgoptions and len(interest) > 2 and interest[1] != ':' and interest[0] != '\\' and Process.process_num <= 2):
config.write("force-sleepskip=0\n")
if "norefer" not in cfgoptions and "referrer" not in cfgoptions:
config.write("referrer={0}\n".format(get_referrer_url(interest)))
simple_optnames = [
"force-sleepskip",
"full-logs",
"force-flush",
"no-stealth",
"buffer-max",
"large-buffer-max",
"serial",
"sysvol_ctimelow",
"sysvol_ctimehigh",
"sys32_ctimelow",
"sys32_ctimehigh",
"debug",
"disable_hook_content",
"hook-type",
"exclude-apis",
"exclude-dlls",
"referrer",
]
for optname in simple_optnames:
if optname in cfgoptions:
config.write("{0}={1}\n".format(optname, cfgoptions[optname]))
orig_bin_name = ""
bit_str = ""
if is_64bit:
orig_bin_name = LOADER64_NAME
bit_str = "64-bit"
else:
orig_bin_name = LOADER32_NAME
bit_str = "32-bit"
bin_name = os.path.join(os.getcwd(), orig_bin_name)
if os.path.exists(bin_name):
ret = subprocess.call([bin_name, "inject", str(self.pid), str(thread_id), dll])
if ret != 0:
if ret == 1:
log.info("Injected into suspended %s process with pid %d", bit_str, self.pid)
else:
log.error("Unable to inject into %s process with pid %d, error: %d", bit_str, self.pid, ret)
return False
else:
return True
else:
log.error("Please place the %s binary from cuckoomon into analyzer/windows/bin in order to analyze %s binaries.", os.path.basename(bin_name), bit_str)
return False
def dump_memory(self):
"""Dump process memory.
@return: operation status.
"""
if not self.pid:
log.warning("No valid pid specified, memory dump aborted")
return False
if not self.is_alive():
log.warning("The process with pid %d is not alive, memory "
"dump aborted", self.pid)
return False
bin_name = ""
bit_str = ""
file_path = os.path.join(PATHS["memory"], "{0}.dmp".format(self.pid))
if self.is_64bit():
orig_bin_name = LOADER64_NAME
bit_str = "64-bit"
else:
orig_bin_name = LOADER32_NAME
bit_str = "32-bit"
bin_name = os.path.join(os.getcwd(), orig_bin_name)
if os.path.exists(bin_name):
ret = subprocess.call([bin_name, "dump", str(self.pid), file_path])
if ret == 1:
log.info("Dumped %s process with pid %d", bit_str, self.pid)
else:
log.error("Unable to dump %s process with pid %d, error: %d", bit_str, self.pid, ret)
return False
else:
log.error("Please place the %s binary from cuckoomon into analyzer/windows/bin in order to analyze %s binaries.", os.path.basename(bin_name), bit_str)
return False
nf = NetlogFile(os.path.join("memory", "{0}.dmp".format(self.pid)))
infd = open(file_path, "rb")
buf = infd.read(1024*1024)
try:
while buf:
nf.send(buf, retry=True)
buf = infd.read(1024*1024)
except:
infd.close()
nf.close()
log.warning("Memory dump of process with pid %d failed", self.pid)
return False
infd.close()
nf.close()
log.info("Memory dump of process with pid %d completed", self.pid)
return True
visuaMZ
L!This program cannot be run in DOS mode.
`.rsrc
@.reloc
C+Cdu^
[p/KZ dFBmI
} Ysy
st
c st
@st
c @st
l#333333?[k
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADPHjbb
Color Picker
Custom
System
Alignment Picker
Bottom Center
Bottom Left
Bottom Right
Middle Center
Middle Left
Middle Right
Top Center
Top Left
Top Right
'The assembly '{0}' could not be loaded.
uThe toolbox item could not be retrieved from the toolbox. Try removing the item from the toolbox and adding it back.
The toolbox item could not be retrieved from the toolbox. Make sure the assembly that contains the toolbox item is correctly installed. The toolbox item raised the following error: {0}
Bitmap files
Icon files
All image files
Metafiles
v2.0.50727
#Strings
<Module>
System.Drawing.Design.dll
SRDescriptionAttribute
System.Drawing.Design
SRCategoryAttribute
ExternDll
System
ImageEditor
BitmapEditor
ColorEditor
ColorPalette
ColorPaletteAccessibleObject
ColorCellAccessibleObject
ColorUI
ColorEditorListBox
ColorEditorTabControl
CustomColorDialog
SystemColorComparer
StandardColorComparer
ContentAlignmentEditor
ContentUI
CursorEditor
CursorUI
DesignerToolboxInfo
FontEditor
FontNameEditor
IconEditor
MetafileEditor
NativeMethods
ToolboxService
DomainProxyObject
FilterSupport
ToolboxItemCreator
ToolboxItemContainer
BrokenToolboxItem
ToolboxItemSerializer
ToolboxSerializationBinder
UnsafeNativeMethods
System.ComponentModel
DescriptionAttribute
CategoryAttribute
mscorlib
Object
System.Drawing
UITypeEditor
System.Windows.Forms
Control
ControlAccessibleObject
AccessibleObject
ListBox
TabControl
ColorDialog
System.Collections
IComparer
IDisposable
IToolboxService
System.ComponentModel.Design
IComponentDiscoveryService
MarshalByRefObject
System.Runtime.Serialization
ISerializable
ToolboxItem
SerializationBinder
replaced
get_Description
Description
GetLocalizedString
imageFileDescription
ColorEditorSystemTab
ColorEditorStandardTab
bitmapFileDescription
ColorEditorPaletteTab
iconFileDescription
metafileFileDescription
ContentAlignmentEditorAccName
ContentAlignmentEditorTopLeftAccName
ContentAlignmentEditorTopCenterAccName
ContentAlignmentEditorTopRightAccName
ContentAlignmentEditorMiddleLeftAccName
ContentAlignmentEditorMiddleCenterAccName
ContentAlignmentEditorMiddleRightAccName
ContentAlignmentEditorBottomLeftAccName
ContentAlignmentEditorBottomCenterAccName
ContentAlignmentEditorBottomRightAccName
ColorEditorAccName
ToolboxServiceBadToolboxItem
ToolboxServiceBadToolboxItemWithException
ToolboxServiceAssemblyNotFound
loader
System.Resources
ResourceManager
resources
s_InternalSyncObject
get_InternalSyncObject
GetLoader
System.Globalization
CultureInfo
get_Culture
get_Resources
GetString
GetObject
InternalSyncObject
Culture
Resources
Activeds
Advapi32
Comctl32
Comdlg32
Gdiplus
Hhctrl
Kernel32
Loadperf
Mscoree
Mscorwks
Oleacc
Oleaut32
Olepro32
PerfCounter
Powrprof
Shell32
Shfolder
User32
Uxtheme
Winspool
Wtsapi32
Version
Vsassert
Shlwapi
Crypt32
Odbc32
OciDll
OraMtsDll
imageExtenders
FileDialog
fileDialog
GetImageExtenders
CreateExtensionsString
CreateFilterEntry
ITypeDescriptorContext
IServiceProvider
EditValue
UITypeEditorEditStyle
GetEditStyle
GetFileDialogDescription
GetExtensions
GetPaintValueSupported
System.IO
Stream
LoadFromStream
PaintValueEventArgs
PaintValue
colorUI
CELLS_ACROSS
CELLS_DOWN
CELLS_CUSTOM
CELL_SIZE
MARGIN
staticCells
staticColors
selectedColor
customColors
EventHandler
onPicked
get_CustomColors
get_FocusedCell
get_SelectedColor
set_SelectedColor
add_Picked
remove_Picked
CreateAccessibilityInstance
EventArgs
OnPicked
Rectangle
FillRectWithCellBounds
GetCellFromColor
GetColorFromCell
GetCell2DFromLocationMouse
GetCellFromLocationMouse
Get1DFrom2D
Get2DFrom1D
InvalidateSelection
InvalidateFocus
IsInputKey
LaunchDialog
OnGotFocus
KeyEventArgs
OnKeyDown
OnLostFocus
MouseEventArgs
OnMouseDown
OnMouseMove
OnMouseUp
PaintEventArgs
OnPaint
Graphics
ProcessDialogKey
SetFocus
CustomColors
FocusedCell
SelectedColor
Picked
get_ColorPalette
GetChildCount
GetChild
HitTest
parent
get_Bounds
get_Name
get_Parent
AccessibleRole
get_Role
AccessibleStates
get_State
get_Value
Bounds
Parent
editor
System.Windows.Forms.Design
IWindowsFormsEditorService
tabControl
TabPage
systemTabPage
commonTabPage
paletteTabPage
lbSystem
lbCommon
systemColorConstants
colorConstants
commonHeightSet
systemHeightSet
get_ColorValues
set_CustomColors
get_EditorService
get_SystemColorValues
AdjustColorUIHeight
AdjustListBoxItemHeight
GetBestColor
GetConstants
InitializeComponent
OnFontChanged
OnListClick
DrawItemEventArgs
OnListDrawItem
OnListKeyDown
OnPalettePick
OnTabControlResize
OnTabControlSelChange
ColorValues
EditorService
SystemColorValues
COLOR_HUE
COLOR_SAT
COLOR_LUM
COLOR_RED
COLOR_GREEN
COLOR_BLUE
COLOR_ADD
COLOR_MIX
hInstance
get_Instance
get_Options
Dispose
HookProc
Instance
Options
Compare
contentUI
RadioButton
topLeft
topCenter
topRight
middleLeft
middleCenter
middleRight
bottomLeft
bottomCenter
bottomRight
ContentAlignment
get_Align
set_Align
get_ShowFocusCues
InitComponent
OptionClick
get_CheckedControl
set_CheckedControl
ShowFocusCues
CheckedControl
cursorUI
get_IsDropDownResizable
IsDropDownResizable
TypeConverter
cursorConverter
OnClick
OnDrawItem
_toolboxService
IDesignerHost
ISelectionService
_selectionService
ArrayList
_filter
IDesigner
_filterDesigner
IToolboxUser
_toolboxUser
Hashtable
_attributeHash
get_DesignerHost
ICollection
get_Filter
get_ToolboxUser
RefreshEventArgs
OnTypeDescriptorRefresh
AttributeCollection
GetDesignerAttributes
RecurseDesignerTree
OnDesignerDisposed
OnSelectionChanged
Update
System.IDisposable.Dispose
DesignerHost
Filter
ToolboxUser
FontDialog
fontDialog
FontFamily
FontStyle
DrawFontSample
EM_GETSEL
EM_SETSEL
EM_GETRECT
EM_SETRECT
EM_SETRECTNP
EM_SCROLL
EM_LINESCROLL
EM_SCROLLCARET
EM_GETMODIFY
EM_SETMODIFY
EM_GETLINECOUNT
EM_LINEINDEX
EM_SETHANDLE
EM_GETHANDLE
EM_GETTHUMB
EM_LINELENGTH
EM_REPLACESEL
EM_GETLINE
EM_LIMITTEXT
EM_CANUNDO
EM_UNDO
EM_FMTLINES
EM_LINEFROMCHAR
EM_SETTABSTOPS
EM_SETPASSWORDCHAR
EM_EMPTYUNDOBUFFER
EM_GETFIRSTVISIBLELINE
EM_SETREADONLY
EM_SETWORDBREAKPROC
EM_GETWORDBREAKPROC
EM_GETPASSWORDCHAR
EM_SETMARGINS
EM_GETMARGINS
EM_SETLIMITTEXT
EM_GETLIMITTEXT
EM_POSFROMCHAR
EM_CHARFROMPOS
EC_LEFTMARGIN
EC_RIGHTMARGIN
EC_USEFONTINFO
IDCANCEL
IDABORT
IDRETRY
IDIGNORE
IDCLOSE
IDHELP
WM_INITDIALOG
SWP_NOSIZE
SWP_NOMOVE
SWP_NOZORDER
SWP_NOREDRAW
SWP_NOACTIVATE
SWP_FRAMECHANGED
SWP_SHOWWINDOW
SWP_HIDEWINDOW
SWP_NOCOPYBITS
SWP_NOOWNERZORDER
SWP_NOSENDCHANGING
SWP_DRAWFRAME
SWP_NOREPOSITION
SWP_DEFERERASE
SWP_ASYNCWINDOWPOS
WM_COMMAND
CC_FULLOPEN
CC_PREVENTFULLOPEN
CC_SHOWHELP
CC_ENABLEHOOK
CC_ENABLETEMPLATE
CC_ENABLETEMPLATEHANDLE
CC_SOLIDCOLOR
CC_ANYCOLOR
InvalidIntPtr
SendDlgItemMessage
GetDlgItem
EnableWindow
SetWindowPos
GetDlgItemInt
PostMessage
MAKELONG
MAKELPARAM
HIWORD
LOWORD
SignedHIWORD
SignedLOWORD
lstrlen
RegisterWindowMessage
IDesignerEventService
_designerEventService
_globalCreators
_designerCreators
_lastMergedHost
_lastMergedCreators
_lastState
_domainObject
AppDomain
_domain
System.Runtime.Remoting.Lifetime
ClientSponsor
_domainObjectSponsor
CategoryNameCollection
get_CategoryNames
get_SelectedCategory
set_SelectedCategory
get_SelectedItemContainer
set_SelectedItemContainer
CreateItemContainer
IDataObject
FilterChanged
GetCreatorCollection
GetFilterSupport
GetItemContainers
GetToolboxItem
System.Reflection
Assembly
GetToolboxItems
AssemblyName
IsItemContainer
IsItemContainerSupported
OnDesignerInfoChanged
Refresh
SelectedItemContainerUsed
SetCursor
UnloadToolboxItems
System.Drawing.Design.IToolboxService.get_CategoryNames
System.Drawing.Design.IToolboxService.get_SelectedCategory
System.Drawing.Design.IToolboxService.set_SelectedCategory
ToolboxItemCreatorCallback
System.Drawing.Design.IToolboxService.AddCreator
AddCreator
System.Drawing.Design.IToolboxService.AddLinkedToolboxItem
AddLinkedToolboxItem
System.Drawing.Design.IToolboxService.AddToolboxItem
AddToolboxItem
System.Drawing.Design.IToolboxService.DeserializeToolboxItem
DeserializeToolboxItem
System.Drawing.Design.IToolboxService.GetSelectedToolboxItem
GetSelectedToolboxItem
ToolboxItemCollection
System.Drawing.Design.IToolboxService.GetToolboxItems
System.Drawing.Design.IToolboxService.IsSupported
IsSupported
System.Drawing.Design.IToolboxService.IsToolboxItem
IsToolboxItem
System.Drawing.Design.IToolboxService.Refresh
System.Drawing.Design.IToolboxService.RemoveCreator
RemoveCreator
System.Drawing.Design.IToolboxService.RemoveToolboxItem
RemoveToolboxItem
System.Drawing.Design.IToolboxService.SelectedToolboxItemUsed
SelectedToolboxItemUsed
System.Drawing.Design.IToolboxService.SerializeToolboxItem
SerializeToolboxItem
System.Drawing.Design.IToolboxService.SetCursor
System.Drawing.Design.IToolboxService.SetSelectedToolboxItem
SetSelectedToolboxItem
System.ComponentModel.Design.IComponentDiscoveryService.GetComponentTypes
GetComponentTypes
CategoryNames
SelectedCategory
SelectedItemContainer
System.Drawing.Design.IToolboxService.CategoryNames
System.Drawing.Design.IToolboxService.SelectedCategory
value__
NotSupported
Supported
Custom
_callback
_format
Create
get_Format
Format
_localClipboardFormat
_itemClipboardFormat
_hashClipboardFormat
_serializationFormats
_serializationValues
_clipboardVersion
_hashCode
_toolboxItem
_dataObject
SerializationInfo
StreamingContext
get_IsCreated
get_IsTransient
get_ToolboxData
UpdateFilter
ContainsFormat
Equals
GetFilter
GetHashCode
GetObjectData
MergeFilter
System.Runtime.Serialization.ISerializable.GetObjectData
IsCreated
IsTransient
ToolboxData
_exceptionString
IComponent
CreateComponentsCore
_assemblyNameKey
_streamKey
System.Runtime.Serialization.Formatters.Binary
BinaryFormatter
_formatter
get_ToolboxItem
_assemblies
_namePart
BindToType
OBJID_CLIENT
System.Runtime.InteropServices
HandleRef
ClientToScreen
ScreenToClient
GetFocus
NotifyWinEvent
System.Runtime.CompilerServices
RuntimeCompatibilityAttribute
AssemblyKeyFileAttribute
AssemblyDelaySignAttribute
NeutralResourcesLanguageAttribute
SatelliteContractVersionAttribute
AssemblyInformationalVersionAttribute
AssemblyFileVersionAttribute
AssemblyVersionAttribute
AssemblyCopyrightAttribute
AssemblyProductAttribute
AssemblyCompanyAttribute
AssemblyDefaultAliasAttribute
AssemblyDescriptionAttribute
AssemblyTitleAttribute
CLSCompliantAttribute
ComVisibleAttribute
System.Diagnostics
DebuggableAttribute
DebuggingModes
CompilationRelaxationsAttribute
AttributeUsageAttribute
AttributeTargets
description
set_DescriptionValue
category
System.Threading
Interlocked
CompareExchange
GetType
get_Assembly
Monitor
ParamArrayAttribute
String
get_Length
Substring
Concat
get_CurrentCulture
IFormatProvider
System.Security.Permissions
SecurityPermissionAttribute
SecurityAction
extensions
context
provider
RuntimeTypeHandle
GetTypeFromHandle
GetService
OpenFileDialog
Activator
BindingFlags
Binder
CreateInstance
IsInstanceOfType
set_Filter
CommonDialog
DialogResult
ShowDialog
get_FileName
FileStream
FileMode
FileAccess
FileShare
IntPtr
op_Inequality
AddRange
ToArray
stream
MemoryStream
FromStream
get_Width
set_Width
get_Height
set_Height
get_Graphics
SystemPens
get_WindowFrame
DrawRectangle
DrawImage
.cctor
PermissionSetAttribute
Bitmap
DropDownControl
SolidBrush
FillRectangle
ControlStyles
SetStyle
SystemColors
get_Control
set_BackColor
set_Size
ColorTranslator
FromOle
Delegate
Combine
Remove
Invoke
across
Inflate
Invalidate
get_Handle
keyData
customIndex
CloseDropDown
get_Color
Component
get_KeyCode
MouseButtons
get_Button
Contains
get_BackColor
get_ClientRectangle
get_ControlText
ControlPaint
ButtonBorderStyle
DrawBorder
get_Focused
DrawFocusRectangle
newFocus
<PrivateImplementationDetails>{89757899-423F-490E-B04A-72754CC2C429}
CompilerGeneratedAttribute
ValueType
__StaticArrayInitTypeSize=192
$$method0x600011b-1
RuntimeHelpers
RuntimeFieldHandle
InitializeArray
get_Owner
ToString
get_White
get_Size
GetTabRect
get_Font
set_ItemHeight
ToArgb
enumType
PropertyInfo
GetProperties
get_PropertyType
MethodInfo
GetGetMethod
MethodBase
MethodAttributes
get_Attributes
GetValue
set_AccessibleName
TabPageCollection
get_TabPages
set_TabStop
set_SelectedTab
add_SelectedIndexChanged
DockStyle
set_Dock
add_Resize
DrawMode
set_DrawMode
BorderStyle
set_BorderStyle
set_IntegralHeight
set_Sorted
add_Click
DrawItemEventHandler
add_DrawItem
KeyEventHandler
add_KeyDown
add_FontChanged
ObjectCollection
get_Items
ControlCollection
get_Controls
sender
get_SelectedItem
get_Index
get_Item
DrawBackground
get_WindowText
get_ForeColor
DrawString
SetBounds
set_Bounds
set_Location
get_SelectedTab
System.Windows.Forms.Layout
ArrangedElementCollection
get_Count
get_SelectedIndex
set_SelectedItem
ListControl
Module
get_Module
GetManifestResourceStream
get_Position
Marshal
AllocHGlobal
disposing
FreeHGlobal
wParam
lParam
op_Explicit
set_Color
Boolean
FromArgb
get_InvariantCulture
GetHue
GetSaturation
GetBrightness
get_Checked
set_Checked
set_ForeColor
set_TabIndex
set_Text
Appearance
set_Appearance
AnchorStyles
set_Anchor
get_TabIndex
get_IsHandleCreated
Cursors
Cursor
get_Default
TypeDescriptor
GetConverter
GetStandardValuesSupported
GetStandardValues
IEnumerable
IEnumerator
GetEnumerator
get_Current
MoveNext
ConvertToString
SystemBrushes
DrawStretched
set_SelectedIndex
toolboxService
add_SelectionChanged
get_RootComponent
add_Disposed
RefreshEventHandler
add_Refreshed
get_ComponentChanged
designer
ArgumentNullException
ITreeDesigner
GetDesigner
get_Values
Attribute
CopyTo
GetAttributes
get_TypeId
set_Item
IServiceContainer
RemoveService
get_PrimarySelection
ToolboxItemFilterAttribute
ToolboxItemFilterType
get_FilterType
remove_SelectionChanged
remove_Disposed
remove_Refreshed
set_ShowApply
set_ShowColor
set_AllowVerticalFonts
set_Font
op_Equality
get_ActiveCaption
get_Right
get_Bottom
DrawLine
fontFamily
fontStyle
GraphicsUnit
get_ActiveCaptionText
RectangleF
op_Implicit
DrawIcon
System.Drawing.Imaging
Metafile
DllImportAttribute
user32.dll
nIDDlgItem
enable
hWndInsertAfter
signed
wparam
lparam
kernel32.dll
StructLayoutAttribute
LayoutKind
dataObject
itemFilter
targetFilter
get_FilterString
categoryName
toolType
nonPublic
get_IsPublic
get_IsNestedPublic
IsAssignableFrom
get_IsAbstract
ToolboxItemAttribute
IsDefaultAttribute
get_ToolboxItemType
ConstructorInfo
GetConstructor
Initialize
get_ContainsGenericParameters
newCodeBase
throwOnError
get_GlobalAssemblyCache
GetName
set_CodeBase
GetTypes
IContainer
set_AssemblyName
CreateDomain
get_FullName
CreateInstanceAndUnwrap
TimeSpan
Register
Deserialize
GetDataPresent
container
AddService
GetToolSupported
get_ActiveDesigner
get_Cross
set_Current
Unload
creator
format
toolboxItem
serializedObject
DataObject
filterAttributes
RemoveAt
designerHost
baseType
ReadOnlyCollectionBase
get_CodeBase
get_LocalPath
LoadFrom
ArgumentException
ReflectionTypeLoadException
Exception
get_LoaderExceptions
get_Message
Serialize
GetBuffer
FileNotFoundException
BadImageFormatException
IOException
callback
SerializableAttribute
SetData
get_DisplayName
get_AssemblyName
get_TypeName
BinaryWriter
creators
GetData
BinaryReader
ReadInt16
ReadString
GetFormats
AddValue
exceptionString
InvalidOperationException
get_Binder
set_Binder
assemblyName
typeName
StartsWith
Exists
System.Security
SuppressUnmanagedCodeSecurityAttribute
InAttribute
OutAttribute
winEvent
objType
System.Drawing.Design.SR.resources
System.Drawing.Design.colordlg.data
IJruL)
(]b,e,
=t]o-~^
System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Security.Permissions.SecurityPermissionFlag, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Security.Permissions.PermissionSetAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
FullTrust
System.Security.Permissions.PermissionSetAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
FullTrust
System.Security.Permissions.PermissionSetAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
FullTrust
System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Security.Permissions.SecurityPermissionFlag, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
WrapNonExceptionThrows
*f:\RedBits\Tools\devdiv\FinalPublicKey.snk
2.0.0.0
2.0.50727.1433
Microsoft Corporation. All rights reserved.
Microsoft
.NET Framework
Microsoft Corporation
System.Drawing.Design.dll
RSDS7=
`BKkfz
System.Drawing.Design.pdb
_CorDllMain
mscoree.dll
visuaMZ
L!This program cannot be run in DOS mode.
BBB^BhB^BgBC
B[BDB_BRichB
`.data
@.reloc
TypeLib
Software
SYSTEM
SECURITY
Hardware
Interface
FileType
Component Categories
PDelete
NoRemove
ForceRemove
P P- P1P2Pb3PE4PW4P4P>!P92P P
!PHKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
FUnRegisterTypeLib
oleaut32.dll
vsansi.dll
Yvsansi.dll
SOFTWARE\Microsoft\VSAnsi
JFPNFP,
\\cpvsbuild\drops\ofc10.0\raw\9122\vsbuilt\retail\bin\i386\vspkgs\cmddef.pdb
SVWeue
WgP_D$
;5hPr3^
s(W3;t
V $9>u5hP
;5hPr_^[UQQS]
hPhgPt$
Vq(;]ti
9 u-MEhP]_9 u
h|hPEE[
3;t/'F
P;unVPP
;tGWtB5
tF;t.P
SVWe3uQ
AAf:'u
AABBf!
PYYu'35(
^3[V3N
_^Ujhp
SVWe3uQ
_^[US39]
;tSSWVju
UQQS39]
SSWVju
;|C{uq9]
3@3U,E
7@PQEP
UQS39]
;tSSWVju
u3@e_^[
UQQS39
VW]tl9C
PPSVjWPP
|3e_^[
u PP6W
P?{u:W
uL9]tGh
PSVSSSWu
9]tLuM
t= PP3u
SVW3P}u;
WSjPVVf3
PEPVVS
39u~7M
G;}|3E
V348hPt$
<0|#<9~
UQ3PPPPPPPMQPPPu
?=u/W-|'
33Mu;uPW=
P;u6EPVVVEPPVuE
P_MF^[
UQS39]
SSu Wju
SSWVju
;tSSWVju
UQS39]
SSu Wju
SSWVju
;tSSWVju
SEPVWu
UQQS39]
;tSSWVju
MVe_^[
Vjt$ Pt$0
t%Vf6f\t
SVQPNu
bulEPh4
P|Q93WtI}
u3_M^[
VWEPEPu
PQ0?hD
VEPEPSu
(|jWuPt,=gPPS+u
sH7;t59E
sH7t4}
s(W3tF
s(W3tF
gPPPPEPP{
VVPEPP\
PPVVP@
P<j2$Pu
PUQQSVW39]
}tg9 t
UQQSVW39}
YYj\u$
;YYtsh
;t&E;t U
ZYQRhgPL$
t)3I;M
4 QPBu3_^[]
Pu^EPPEPSh
P^[Ul$
E@E|EPMT33}8}\EH$
M`MdMhu EHE|E|Pj
E,0E|+E0ul
M\u#EPE
@lhPEXuWtSuT3I
P3fu0=lhP
EHPYEx
thP3;t
EluQuT
PEhphP;t
Elu EHE|E|Pj
P;Elt'39{
P3thP;
u<M@9H
u4;p4u/u0bu8Y
ExYu\V
PEhphP;t
Ex9}xu
EHExExPj
PEdExExM|
M`MxMdMHQj
Ex_^[p
xhPY?u<hPt3
u7WPSt
u&WVSu
PhhPhhPt$
SVWeEh
_^[Ujh
SVWeEp
|hPth(HPZY
h2HPDY
hP#|hPyhP
lstrlenW
GetModuleFileNameW
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
DisableThreadLibraryCalls
InterlockedIncrement
InterlockedDecrement
MultiByteToWideChar
lstrlenA
GetShortPathNameA
GetModuleHandleA
GetModuleFileNameA
WideCharToMultiByte
FreeLibrary
SizeofResource
LoadResource
FindResourceA
LoadLibraryExA
GetLastError
lstrcmpiA
lstrcpynA
IsDBCSLeadByte
CloseHandle
ReadFile
GetFileSize
CreateFileA
lstrcpyA
lstrcatA
GetProcAddress
LoadLibraryA
LocalAlloc
InterlockedExchange
GetVersionExA
RaiseException
KERNEL32.dll
CharNextA
USER32.dll
RegDeleteKeyA
RegCreateKeyExA
RegDeleteValueA
RegCloseKey
RegOpenKeyExA
RegSetValueExA
RegQueryInfoKeyA
RegEnumKeyExA
RegQueryValueExA
ADVAPI32.dll
CoCreateInstance
CoTaskMemFree
CoTaskMemAlloc
CoTaskMemRealloc
StringFromGUID2
ole32.dll
OLEAUT32.dll
??3@YAXPAX@Z
_except_handler3
realloc
??2@YAPAXI@Z
wcscat
_wmakepath
_wsplitpath
swprintf
wcschr
wcslen
_initterm
malloc
_adjust_fdiv
MSVCR70.dll
__dllonexit
_onexit
memset
cmddef.dll
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
VSDllRegisterServer
VSDllUnregisterServer
P=L9o<
hfP`PPXfP`PPHfP`PP8fP`PP(fP`PP
fP`PPeP`PPeP`PPeP`PPeP`PPeP`PPeP`PPeP`PPeP`PPlePxPPTePxPPDePxPP4ePPP(ePPP
ePPPdPPPdPPPdPPPdPPPdPPPdPPPdPPPdPPPxdPPPldPPPTdPPP@dPPP,dPPP
dPPPcPPPcPPPcPPPcPPPcPPPcPPP|cPPPlcPPP`cPPPTcPPPDcPPP8cPPP$cPPP
cPPPbPPPbPPPbPPPbPPPbPPPbPPPbPPPtbPPPTbPPPDbPPP4bPPP$bPPP
bPPPaPPPaPPPaPPPaPPPaPPPaPPPaPPPpaPPPXaPPPDaPPP,aPPP
aPPP`PPP`PPP`PPP`PPP`PPP`PPPt`PPP``PPPL`PPP8`PPP(`PPP
`PPP_PPP_PPP_PPP_PPP_PPP_PPP_PPP|_PPPp_PPPd_PPPX_PPPL_PPP@_PPP4_PPP(_PPP
_PPP^PPP^PPP^PPP^PPP^PPP^PPP^PPPd^PPPP^PPP<^PPP,^PPP
^PPP]PPP]PPP]PPP]PPP]PPP]PPP]PPPx]PPPh]PPPX]PPPL]PPP@]PPP4]PPP(]PPP
]PPP\PPP\PPP\PPP\PPP\PPP\PPPp\PPP`\PPPT\PPPD\PPP0\PPP \PPP
\PPP[PPP[PPP[PPP[PPP[PPP[PPP[PPP[PPP[PPPp[PPPd[PPPX[PPP@[PPP0[PPP
[PPPZPPPZPPPZPPPZPPPZPPPZPPPZPPPZPPPZPPPtZPPP`ZPPPTZPPPHZPPP8ZPPP,ZPPP
ZPPPYPPPYPPPYPPPYPPPYPPPYPPPtYPPPhYPPPTYPPPDYPPP0YPPP YPPP
YPPPXPPPXPPPXPPPXPPPXPPPXPPPXPPP|XPPPhXPPP\XPPPPXPPPDXPPP8XPPP XP
OpenPrinterW
DocumentPropertiesW
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
wsprintfW
wvsprintfW
WinHelpW
VkKeyScanW
UnregisterClassW
TranslateAcceleratorW
TabbedTextOutW
SystemParametersInfoW
SetWindowTextW
SetWindowsHookExW
SetWindowLongW
SetPropW
SetMenuItemInfoW
SetDlgItemTextW
SetClassLongW
SendNotifyMessageW
SendMessageW
SendDlgItemMessageW
RemovePropW
RegisterWindowMessageW
RegisterClipboardFormatW
RegisterClassExW
RegisterClassW
PostThreadMessageW
PostMessageW
PeekMessageW
OemToCharW
ModifyMenuW
MessageBoxIndirectW
MessageBoxW
MapVirtualKeyW
LoadStringW
LoadMenuW
LoadMenuIndirectW
LoadImageW
LoadIconW
LoadCursorW
LoadBitmapW
LoadAcceleratorsW
IsDialogMessageW
IsCharAlphaW
IsCharAlphaNumericW
InsertMenuW
GrayStringW
GetWindowTextW
GetWindowTextLengthW
GetWindowLongW
GetTabbedTextExtentW
GetPropW
GetMessageW
GetDlgItemTextW
GetClassNameW
GetClassLongW
GetClassInfoExW
GetClassInfoW
FindWindowW
DrawTextW
DrawTextExW
DispatchMessageW
DialogBoxParamW
DialogBoxIndirectParamW
DefWindowProcW
DefMDIChildProcW
DefFrameProcW
DefDlgProcW
DdeInitializeW
DdeCreateStringHandleW
CreateWindowExW
CreateMDIWindowW
CreateDialogParamW
CreateDialogIndirectParamW
CreateAcceleratorTableW
CopyAcceleratorTableW
CharUpperW
CharUpperBuffW
CharToOemW
CharPrevW
CharNextW
CharLowerW
CharLowerBuffW
CallWindowProcW
AppendMenuW
SHGetPathFromIDListW
SHGetFileInfoW
ShellExecuteExW
Shell_NotifyIconW
SHBrowseForFolderW
FindExecutableW
ExtractIconExW
ExtractIconW
ExtractAssociatedIconW
DragQueryFileW
StgCreateDocfile
WNetGetConnectionW
WritePrivateProfileStringW
VerLanguageNameW
SetLocaleInfoW
SetFileAttributesW
SetEnvironmentVariableW
SetCurrentDirectoryW
SearchPathW
RemoveDirectoryW
OutputDebugStringW
MoveFileW
MoveFileExW
lstrlenW
lstrcpyW
lstrcpynW
lstrcmpW
lstrcmpiW
lstrcatW
LoadLibraryW
LoadLibraryExW
LCMapStringW
IsBadStringPtrW
GlobalGetAtomNameW
GlobalFindAtomW
GlobalAddAtomW
GetVolumeInformationW
GetVersionExW
GetTimeFormatW
GetTempPathW
GetTempFileNameW
GetSystemDirectoryW
GetStringTypeExW
GetShortPathNameW
GetProfileIntW
GetPrivateProfileStringW
GetPrivateProfileIntW
GetNumberFormatW
GetModuleHandleW
GetModuleFileNameW
GetLocaleInfoW
GetFullPathNameW
GetFileAttributesExW
GetFileAttributesW
GetEnvironmentStringsW
GetEnvironmentVariableW
GetDriveTypeW
GetDiskFreeSpaceExW
GetDateFormatW
GetCurrencyFormatW
GetCurrentDirectoryW
GetComputerNameW
FreeEnvironmentStringsW
FormatMessageW
FindResourceW
FindNextFileW
FindFirstFileW
FindFirstChangeNotificationW
FatalAppExitW
ExpandEnvironmentStringsW
DeleteFileW
CreateSemaphoreW
CreateProcessW
CreateMutexW
CreateFileW
CreateFileMappingW
CreateEventW
CreateDirectoryW
CreateDirectoryExW
CopyFileW
CompareStringW
StartDocW
ResetDCW
GetTextMetricsW
GetTextFaceW
GetTextExtentExPointW
GetTextExtentPointW
GetTextExtentPoint32W
GetOutlineTextMetricsW
GetObjectW
GetKerningPairsW
GetGlyphOutlineW
GetCharWidthW
GetCharWidthFloatW
GetCharABCWidthsW
GetCharABCWidthsFloatW
ExtTextOutW
CreateMetaFileW
CreateICW
CreateFontW
CreateFontIndirectW
CreateEnhMetaFileW
CreateDCW
CopyMetaFileW
PrintDlgW
GetSaveFileNameW
GetOpenFileNameW
GetFileTitleW
ChooseFontW
ChooseColorW
PropertySheetW
ImageList_LoadImageW
CreatePropertySheetPageW
RegSetValueW
RegSetValueExW
RegQueryValueW
RegQueryValueExW
RegQueryInfoKeyW
RegOpenKeyW
RegOpenKeyExW
RegEnumKeyExW
RegEnumValueW
RegEnumKeyW
RegDeleteValueW
RegDeleteKeyW
RegCreateKeyW
RegCreateKeyExW
GetUserNameW
winspool.drv
winmm.dll
version.dll
user32.dll
url.dll
shell32.dll
rpcrt4.dll
rasapi32.dll
opengl32.dll
oledlg.dll
ole32.dll
mswsock.dll
msvfw32.dll
mpr.dll
lz32.dll
kernel32.dll
imm32.dll
gdi32.dll
comdlg32.dll
comctl32.dll
avifil32.dll
avicap32.dll
advapi32.dll
%REGROOTBEGIN%
NoRemove Packages
ForceRemove %MENU_PKG_GUID% = s 'Commands definition Package'
{
val InprocServer32 = s '%MODULE%'
ForceRemove SatelliteDll
{
val DllName = s 'cmddefui.dll'
val Path = s '%MODULE_DIR%'
}
}
NoRemove Menus
ForceRemove val %MENU_PKG_GUID% = s '%MENU_RES%'
%REGROOTEND%
11111111@2D2H2L2P2T2X2\2222222222224383<3@3D3H3L3P3T3X3\3`3d3h3l3t3x384@4H4P4X4`4h4p4x444444444444445555555555555555(6,6064686<6@6D66666666666666666666
7777777
8Y8b8z8888A9]999D::::::::::
;q;;;;$<T<Z<_<l<<<<<
=H=Z=l==
><>A>d>
??????
"0J0g00000T1~1111
22n33333%444
5#5:555
616h6666
7D7Q7777
8(818>888888
<7<V<t<<<<===<>m>z>>7?Q??????????????
0"0:00*1r111
2O2y222#33333
6+6G6s6y6666
7>7S7[7a7
8*818V8u88
9%9C:R:\:f:}:;;:<d<<<<<<<<<&=<=s===0>P>o>>>>>
?!?R????????
0$0=0H0h00
1 161E1l1y111111*2>2T2a2h2s2z22
363I333333333333333
4"4(4I4[44440565<5E5J5O5t5z5555555555
6,636l666666F7v777777777
8 8)838
0 0$0(0,0004080<0@0D0H0L0`0h0p0x00000000000000000
1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|111111111111111111111111111111111
2 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2d2h2l2p2t2x2|222222222222222222222222222222222
3 3$3(3,3034383<3@3D3H3L3P3T3X3\3`3d3h3l3p3t3x3|333333333333333333333333333333333
4 4$4(4,4044484<4@4D4H4L4P4T4X4\4`4d4h4l4p4t4x4|444444444444444444444444444444444
5 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|555555555555555555555555555555555
6 6$6(6,6064686<6@6D6H6L6P6T6X6\6`6d6h6l6p6t6x6|666666666666666666666666666666666
7 7$7(7,7074787<7@7D7H7L7P7T7X7\7`7d7h7l7p7t7x7|777777777777777777777
TNPPOA
kmsOAMSOFFICE9.0
0*0*0*
`T`T`T`T0*
visua18:35:41 - Startup
18:35:42 - Bound UDP socket waiting for commands, error: 0
18:35:42 - Nothing received yet
18:35:43 - Nothing received yet
18:35:44 - Nothing received yet
18:35:45 - Nothing received yet
18:35:46 - Nothing received yet
18:35:47 - Nothing received yet
18:35:48 - Nothing received yet
18:35:49 - Nothing received yet
18:35:51 - Nothing received yet
18:35:52 - Nothing received yet
18:35:53 - Nothing received yet
18:35:54 - Nothing received yet
visuaMZ
L!This program cannot be run in DOS mode.
`.rsrc
@.reloc
'}JQ|g
Y+\\-%
Gh7<D*pPw9
Wq?pL h7
hQ1EyT
f:\VS70Builds\5077\vsbuilt\retail\bin\i386\msosec.pdb
v1.1.4324
#Strings
<Module>
msosec.dll
mscorlib
System
Object
AssemblyRef
System.Security.Policy
IMembershipCondition
System.Security
ISecurityEncodable
ISecurityPolicyEncodable
OfficeDocumentMembershipCondition
Microsoft.Office.Security.Policy
OfficeDocument
VsAssemblyVer
NdpAssemblyVer
MicrosoftVisualBasicVsa
MicrosoftJScript
MicrosoftVisualBasicVsaDt
Evidence
System.Security.Policy.IMembershipCondition.Check
System.Security.Policy.IMembershipCondition.Copy
System.Security.Policy.IMembershipCondition.Equals
Equals
System.Security.Policy.IMembershipCondition.ToString
ToString
SecurityElement
System.Security.ISecurityEncodable.ToXml
System.Security.ISecurityEncodable.FromXml
FromXml
PolicyLevel
System.Security.ISecurityPolicyEncodable.ToXml
System.Security.ISecurityPolicyEncodable.FromXml
System.Reflection
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyDescriptionAttribute
AssemblyTitleAttribute
AssemblyCompanyAttribute
AssemblyKeyFileAttribute
AssemblyDelaySignAttribute
AssemblyFileVersionAttribute
AssemblyVersionAttribute
msosec
SerializableAttribute
rootEvidence
System.Collections
IEnumerator
GetHostEnumerator
get_Current
MoveNext
GetType
String
LastIndexOf
Substring
get_AssemblyQualifiedName
Escape
AddAttribute
ArgumentException
Attribute
op_Inequality
(]b,e,
=t]o-~^
#Visual Studio .NET Tools for Office
8Copyright
Microsoft Corporation. All rights reserved.
Custom membership condition
Microsoft Corporation
<f:\VS70Builds\5077\vs\src\common\security\FinalPublicKey.snk
7.10.5077.0
_CorDllMain
mscoree.dll
visuaL
PO :i
PROGRA~1
NetTime
^Gh^Gh
NetTime.exe
^Gh^Gh
C:\Program Files\NetTime\NetTime.exe
base-xp
TJu'x};
TJu'x};
yrkxeP:#
zgMB6)
{vlaWLB7-"
vr^J6"
'.49>ADFFE
D}A|=|8{2{,{%{
|zwuspnksz
}{xvtromt{
}{ywtrpnu}
}{yxvtrpw~
}{zxvusqx
~|{yxvusz
~|{zxwut{
~}|{yxwv}
~}|{zzyx~
visua[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-8964
visuaMZ
L!This program cannot be run in DOS mode.
`.rdata
@.data
@.NewSec
RR G n
^UQQ=`W@
EPEPV@
UQ=`W@
ADiS3B+
QSUVWD$
u8-TR@
tQ3;tKxP@
_^][Y_^][Y
_^]3[Y
UQV5lR@
SVW3jD^V3ESGPE`
]X]P]D]\]H]T]@]LE0
t3SE0PEPPEXP
E<trEx
t3SE0PE\PEDP
Ex t3SE0PETPEHP
?"E|t#
]tE PEPutSu`uLSSu|S
u\9]Xt
uX9]Tt
uTu$Ex
9]<tEW@
j(hdW@
u\9]Dt
uD9]Pt
uP9]Xt
uX9]Tt
uT9]Ht
9]tu4W
t8;Yv%>\t
E|Y+Y\
Etj<^VESP
EEtEEpE
9]<t:W@
j(hdW@
u|S5V@
E@_^[d
=V5lW@
I9\tPP
.\u%\u
SVW339
YY?Vt$
VW=DR@
]UQtW@
EEPMQUR
Information
Couldn't open the file!
C:/exp/
[File]
[Sub-Dir]
o%}oooooEo%o
[}#}9}S}P}%[}}
}>}My}3}]}#C}8}k
}h}8});}
'}&}O=}
}@}$)}3}[}
D}U6}=}U=}p'}
memset
MSVCRT.dll
GetModuleHandleA
HeapCreate
HeapDestroy
ExitProcess
KERNEL32.dll
memcpy
_stricmp
strncmp
_strnicmp
strcmp
memmove
strlen
strcpy
strcat
strncpy
GetCurrentThreadId
GetTickCount
HeapAlloc
HeapFree
WriteFile
CloseHandle
CreateFileA
GetFileSize
ReadFile
SetFilePointer
InitializeCriticalSection
GetModuleFileNameA
GetCurrentProcess
DuplicateHandle
CreatePipe
GetStdHandle
CreateProcessA
WaitForSingleObject
EnterCriticalSection
LeaveCriticalSection
GetCurrentProcessId
GetDriveTypeA
FindFirstFileA
FindClose
GetFileAttributesA
CreateDirectoryA
GetLastError
FindNextFileA
SetFileAttributesA
HeapReAlloc
InitCommonControls
COMCTL32.DLL
MessageBoxA
GetWindowThreadProcessId
IsWindowVisible
IsWindowEnabled
GetForegroundWindow
EnableWindow
EnumWindows
USER32.DLL
ShellExecuteExA
SHELL32.DLL
CoInitialize
OLE32.DLL
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity
version="1.0.0.0"
processorArchitecture="X86"
name="CompanyName.ProductName.YourApp"
type="win32" />
<description></description>
<dependency>
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
processorArchitecture="X86"
publicKeyToken="6595b64144ccf1df"
language="*" />
</dependentAssembly>
</dependency>
</assembly>
11CK3R1Z@HR1Z@=
uR1ZS1[@H3CKAI@R1Z@H=
uAI3S1[CKR1Z@Q1YBJR1Z=
uQ1YQ1Y
R1ZAI0TS1[BJ0S1[(R1Z(
mAI0(CK0fR1Z
visuavisua
visua# Copyright (C) 2010-2015 Cuckoo Foundation, Optiv, Inc. (brad.spengler@optiv.com)
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
import os
import logging
import random
import subprocess
import platform
import urllib
import base64
from time import time
from ctypes import byref, c_ulong, create_string_buffer, c_int, sizeof
from shutil import copy
from lib.common.constants import PIPE, PATHS, SHUTDOWN_MUTEX, TERMINATE_EVENT, LOGSERVER_PREFIX
from lib.common.constants import CUCKOOMON32_NAME, CUCKOOMON64_NAME, LOADER32_NAME, LOADER64_NAME, CAWSMON32_NAME, CAWSMON64_NAME
from lib.common.defines import ULONG_PTR
from lib.common.defines import KERNEL32, NTDLL, SYSTEM_INFO, STILL_ACTIVE
from lib.common.defines import THREAD_ALL_ACCESS, PROCESS_ALL_ACCESS, TH32CS_SNAPPROCESS
from lib.common.defines import STARTUPINFO, PROCESS_INFORMATION, PROCESSENTRY32
from lib.common.defines import CREATE_NEW_CONSOLE, CREATE_SUSPENDED
from lib.common.defines import MEM_RESERVE, MEM_COMMIT, PAGE_READWRITE
from lib.common.defines import MEMORY_BASIC_INFORMATION
from lib.common.defines import WAIT_TIMEOUT, EVENT_MODIFY_STATE
from lib.common.defines import MEM_IMAGE, MEM_MAPPED, MEM_PRIVATE
from lib.common.defines import GENERIC_READ, GENERIC_WRITE, OPEN_EXISTING
from lib.common.errors import get_error_string
from lib.common.rand import random_string
from lib.common.results import NetlogFile
from lib.core.config import Config
from lib.core.log import LogServer
IOCTL_PID = 0x222008
IOCTL_CUCKOO_PATH = 0x22200C
PATH_KERNEL_DRIVER = "\\\\.\\DriverSSDT"
LOGSERVER_POOL = dict()
ATTEMPTED_APC_INJECTS = dict()
ATTEMPTED_THREAD_INJECTS = dict()
log = logging.getLogger(__name__)
def is_os_64bit():
return platform.machine().endswith('64')
def get_referrer_url(interest):
"""Get a Google referrer URL
@return: URL to be added to the analysis config
"""
if "://" not in interest:
return ""
escapedurl = urllib.quote(interest, '')
itemidx = str(random.randint(1, 30))
vedstr = "0CCEQfj" + base64.urlsafe_b64encode(random_string(random.randint(5, 8) * 3))
eistr = base64.urlsafe_b64encode(random_string(12))
usgstr = "AFQj" + base64.urlsafe_b64encode(random_string(12))
referrer = "http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd={0}&ved={1}&url={2}&ei={3}&usg={4}".format(itemidx, vedstr, escapedurl, eistr, usgstr)
return referrer
class Process:
"""Windows process."""
process_num = 0
# This adds 1 up to 30 times of 20 minutes to the startup
# time of the process, therefore bypassing anti-vm checks
# which check whether the VM has only been up for <10 minutes.
startup_time = random.randint(1, 30) * 20 * 60 * 1000
def __init__(self, pid=0, h_process=0, thread_id=0, h_thread=0, suspended=False):
"""@param pid: PID.
@param h_process: process handle.
@param thread_id: thread id.
@param h_thread: thread handle.
"""
self.pid = pid
self.h_process = h_process
self.thread_id = thread_id
self.h_thread = h_thread
self.suspended = suspended
self.system_info = SYSTEM_INFO()
self.critical = False
def __del__(self):
"""Close open handles."""
if self.h_process and self.h_process != KERNEL32.GetCurrentProcess():
KERNEL32.CloseHandle(self.h_process)
if self.h_thread:
KERNEL32.CloseHandle(self.h_thread)
def get_system_info(self):
"""Get system information."""
KERNEL32.GetSystemInfo(byref(self.system_info))
def open(self):
"""Open a process and/or thread.
@return: operation status.
"""
ret = bool(self.pid or self.thread_id)
if self.pid and not self.h_process:
if self.pid == os.getpid():
self.h_process = KERNEL32.GetCurrentProcess()
else:
self.h_process = KERNEL32.OpenProcess(PROCESS_ALL_ACCESS,
False,
self.pid)
ret = True
if self.thread_id and not self.h_thread:
self.h_thread = KERNEL32.OpenThread(THREAD_ALL_ACCESS,
False,
self.thread_id)
ret = True
return ret
def close(self):
"""Close any open handles.
@return: operation status.
"""
ret = bool(self.h_process or self.h_thread)
NT_SUCCESS = lambda val: val >= 0
if self.h_process:
ret = NT_SUCCESS(KERNEL32.CloseHandle(self.h_process))
self.h_process = None
if self.h_thread:
ret = NT_SUCCESS(KERNEL32.CloseHandle(self.h_thread))
self.h_thread = None
return ret
def exit_code(self):
"""Get process exit code.
@return: exit code value.
"""
if not self.h_process:
self.open()
exit_code = c_ulong(0)
KERNEL32.GetExitCodeProcess(self.h_process, byref(exit_code))
return exit_code.value
def get_filepath(self):
"""Get process image file path.
@return: decoded file path.
"""
if not self.h_process:
self.open()
NT_SUCCESS = lambda val: val >= 0
pbi = create_string_buffer(530)
size = c_int()
# Set return value to signed 32bit integer.
NTDLL.NtQueryInformationProcess.restype = c_int
ret = NTDLL.NtQueryInformationProcess(self.h_process,
27,
byref(pbi),
sizeof(pbi),
byref(size))
if NT_SUCCESS(ret) and size.value > 8:
try:
fbuf = pbi.raw[8:]
fbuf = fbuf[:fbuf.find('\0\0')+1]
return fbuf.decode('utf16', errors="ignore")
except:
return ""
return ""
def is_alive(self):
"""Process is alive?
@return: process status.
"""
return self.exit_code() == STILL_ACTIVE
def set_critical(self):
self.critical = True
def is_critical(self):
"""Determines if process is 'critical' or not, so we can prevent
terminating it
"""
if not self.h_process:
self.open()
if self.critical:
return True
NT_SUCCESS = lambda val: val >= 0
val = c_ulong(0)
retlen = c_ulong(0)
ret = NTDLL.NtQueryInformationProcess(self.h_process, 29, byref(val), sizeof(val), byref(retlen))
if NT_SUCCESS(ret) and val.value:
return True
return False
def get_parent_pid(self):
"""Get the Parent Process ID."""
if not self.h_process:
self.open()
NT_SUCCESS = lambda val: val >= 0
pbi = (ULONG_PTR * 6)()
size = c_ulong()
# Set return value to signed 32bit integer.
NTDLL.NtQueryInformationProcess.restype = c_int
ret = NTDLL.NtQueryInformationProcess(self.h_process,
0,
byref(pbi),
sizeof(pbi),
byref(size))
if NT_SUCCESS(ret) and size.value == sizeof(pbi):
return pbi[5]
return None
def kernel_analyze(self):
"""zer0m0n kernel analysis
"""
log.info("Starting kernel analysis")
log.info("Installing driver")
if is_os_64bit():
sys_file = os.path.join(os.getcwd(), "dll", "zer0m0n_x64.sys")
else:
sys_file = os.path.join(os.getcwd(), "dll", "zer0m0n.sys")
exe_file = os.path.join(os.getcwd(), "dll", "logs_dispatcher.exe")
if not sys_file or not exe_file or not os.path.exists(sys_file) or not os.path.exists(exe_file):
log.warning("No valid zer0m0n files to be used for process with pid %d, injection aborted", self.pid)
return False
exe_name = random_string(6)
service_name = random_string(6)
driver_name = random_string(6)
inf_data = '[Version]\r\nSignature = "$Windows NT$"\r\nClass = "ActivityMonitor"\r\nClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2}\r\nProvider= %Prov%\r\nDriverVer = 22/01/2014,1.0.0.0\r\nCatalogFile = %DriverName%.cat\r\n[DestinationDirs]\r\nDefaultDestDir = 12\r\nMiniFilter.DriverFiles = 12\r\n[DefaultInstall]\r\nOptionDesc = %ServiceDescription%\r\nCopyFiles = MiniFilter.DriverFiles\r\n[DefaultInstall.Services]\r\nAddService = %ServiceName%,,MiniFilter.Service\r\n[DefaultUninstall]\r\nDelFiles = MiniFilter.DriverFiles\r\n[DefaultUninstall.Services]\r\nDelService = %ServiceName%,0x200\r\n[MiniFilter.Service]\r\nDisplayName= %ServiceName%\r\nDescription= %ServiceDescription%\r\nServiceBinary= %12%\\%DriverName%.sys\r\nDependencies = "FltMgr"\r\nServiceType = 2\r\nStartType = 3\r\nErrorControl = 1\r\nLoadOrderGroup = "FSFilter Activity Monitor"\r\nAddReg = MiniFilter.AddRegistry\r\n[MiniFilter.AddRegistry]\r\nHKR,,"DebugFlags",0x00010001 ,0x0\r\nHKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance%\r\nHKR,"Instances\\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude%\r\nHKR,"Instances\\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags%\r\n[MiniFilter.DriverFiles]\r\n%DriverName%.sys\r\n[SourceDisksFiles]\r\n'+driver_name+'.sys = 1,,\r\n[SourceDisksNames]\r\n1 = %DiskId1%,,,\r\n[Strings]\r\n'+'Prov = "'+random_string(8)+'"\r\nServiceDescription = "'+random_string(12)+'"\r\nServiceName = "'+service_name+'"\r\nDriverName = "'+driver_name+'"\r\nDiskId1 = "'+service_name+' Device Installation Disk"\r\nDefaultInstance = "'+service_name+' Instance"\r\nInstance1.Name = "'+service_name+' Instance"\r\nInstance1.Altitude = "370050"\r\nInstance1.Flags = 0x0'
new_inf = os.path.join(os.getcwd(), "dll", "{0}.inf".format(service_name))
new_sys = os.path.join(os.getcwd(), "dll", "{0}.sys".format(driver_name))
copy(sys_file, new_sys)
new_exe = os.path.join(os.getcwd(), "dll", "{0}.exe".format(exe_name))
copy(exe_file, new_exe)
log.info("[-] Driver name : "+new_sys)
log.info("[-] Inf name : "+new_inf)
log.info("[-] Application name : "+new_exe)
log.info("[-] Service : "+service_name)
fh = open(new_inf,"w")
fh.write(inf_data)
fh.close()
os_is_64bit = is_os_64bit()
if os_is_64bit:
wow64 = c_ulong(0)
KERNEL32.Wow64DisableWow64FsRedirection(byref(wow64))
os.system('cmd /c "rundll32 setupapi.dll, InstallHinfSection DefaultInstall 132 '+new_inf+'"')
os.system("net start "+service_name)
si = STARTUPINFO()
si.cb = sizeof(si)
pi = PROCESS_INFORMATION()
cr = CREATE_NEW_CONSOLE
ldp = KERNEL32.CreateProcessA(new_exe, None, None, None, None, cr, None, os.getenv("TEMP"), byref(si), byref(pi))
if not ldp:
if os_is_64bit:
KERNEL32.Wow64RevertWow64FsRedirection(wow64)
log.error("Failed starting "+exe_name+".exe.")
return False
config_path = os.path.join(os.getenv("TEMP"), "%s.ini" % self.pid)
with open(config_path, "w") as config:
cfg = Config("analysis.conf")
config.write("host-ip={0}\n".format(cfg.ip))
config.write("host-port={0}\n".format(cfg.port))
config.write("pipe={0}\n".format(PIPE))
log.info("Sending startup information")
hFile = KERNEL32.CreateFileA(PATH_KERNEL_DRIVER, GENERIC_READ|GENERIC_WRITE,
0, None, OPEN_EXISTING, 0, None)
if os_is_64bit:
KERNEL32.Wow64RevertWow64FsRedirection(wow64)
if hFile:
p = Process(pid=os.getpid())
ppid = p.get_parent_pid()
pid_vboxservice = 0
pid_vboxtray = 0
# get pid of VBoxService.exe and VBoxTray.exe
proc_info = PROCESSENTRY32()
proc_info.dwSize = sizeof(PROCESSENTRY32)
snapshot = KERNEL32.CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
flag = KERNEL32.Process32First(snapshot, byref(proc_info))
while flag:
if proc_info.sz_exeFile == "VBoxService.exe":
log.info("VBoxService.exe found !")
pid_vboxservice = proc_info.th32ProcessID
flag = 0
elif proc_info.sz_exeFile == "VBoxTray.exe":
pid_vboxtray = proc_info.th32ProcessID
log.info("VBoxTray.exe found !")
flag = 0
flag = KERNEL32.Process32Next(snapshot, byref(proc_info))
bytes_returned = c_ulong(0)
msg = str(self.pid)+"_"+str(ppid)+"_"+str(os.getpid())+"_"+str(pi.dwProcessId)+"_"+str(pid_vboxservice)+"_"+str(pid_vboxtray)+'\0'
KERNEL32.DeviceIoControl(hFile, IOCTL_PID, msg, len(msg), None, 0, byref(bytes_returned), None)
msg = os.getcwd()+'\0'
KERNEL32.DeviceIoControl(hFile, IOCTL_CUCKOO_PATH, unicode(msg), len(unicode(msg)), None, 0, byref(bytes_returned), None)
else:
log.warning("Failed to access kernel driver")
return True
def execute(self, path, args=None, suspended=False, kernel_analysis=False):
"""Execute sample process.
@param path: sample path.
@param args: process args.
@param suspended: is suspended.
@return: operation status.
"""
if not os.access(path, os.X_OK):
log.error("Unable to access file at path \"%s\", "
"execution aborted", path)
return False
startup_info = STARTUPINFO()
startup_info.cb = sizeof(startup_info)
# STARTF_USESHOWWINDOW
startup_info.dwFlags = 1
# SW_SHOWNORMAL
startup_info.wShowWindow = 1
process_info = PROCESS_INFORMATION()
arguments = "\"" + path + "\" "
if args:
arguments += args
creation_flags = CREATE_NEW_CONSOLE
if suspended:
self.suspended = True
creation_flags += CREATE_SUSPENDED
created = KERNEL32.CreateProcessA(path,
arguments,
None,
None,
None,
creation_flags,
None,
os.getenv("TEMP"),
byref(startup_info),
byref(process_info))
if created:
self.pid = process_info.dwProcessId
self.h_process = process_info.hProcess
self.thread_id = process_info.dwThreadId
self.h_thread = process_info.hThread
log.info("Successfully executed process from path \"%s\" with "
"arguments \"%s\" with pid %d", path, args or "", self.pid)
if kernel_analysis:
return self.kernel_analyze()
return True
else:
log.error("Failed to execute process from path \"%s\" with "
"arguments \"%s\" (Error: %s)", path, args,
get_error_string(KERNEL32.GetLastError()))
return False
def resume(self):
"""Resume a suspended thread.
@return: operation status.
"""
if not self.suspended:
log.warning("The process with pid %d was not suspended at creation"
% self.pid)
return False
if not self.h_thread:
return False
KERNEL32.Sleep(2000)
if KERNEL32.ResumeThread(self.h_thread) != -1:
self.suspended = False
log.info("Successfully resumed process with pid %d", self.pid)
return True
else:
log.error("Failed to resume process with pid %d", self.pid)
return False
def set_terminate_event(self):
"""Sets the termination event for the process.
"""
if self.h_process == 0:
self.open()
event_name = TERMINATE_EVENT + str(self.pid)
event_handle = KERNEL32.OpenEventA(EVENT_MODIFY_STATE, False, event_name)
if event_handle:
# make sure process is aware of the termination
KERNEL32.SetEvent(event_handle)
KERNEL32.CloseHandle(event_handle)
KERNEL32.Sleep(500)
def terminate(self):
"""Terminate process.
@return: operation status.
"""
if self.h_process == 0:
self.open()
if KERNEL32.TerminateProcess(self.h_process, 1):
log.info("Successfully terminated process with pid %d.", self.pid)
return True
else:
log.error("Failed to terminate process with pid %d.", self.pid)
return False
def is_64bit(self):
"""Determines if a process is 64bit.
@return: True if 64bit, False if not
"""
if self.h_process == 0:
self.open()
try:
val = c_int(0)
ret = KERNEL32.IsWow64Process(self.h_process, byref(val))
if ret and not val.value and is_os_64bit():
return True
except:
pass
return False
def old_inject(self, dll, apc):
arg = KERNEL32.VirtualAllocEx(self.h_process,
None,
len(dll) + 1,
MEM_RESERVE | MEM_COMMIT,
PAGE_READWRITE)
if not arg:
log.error("VirtualAllocEx failed when injecting process with "
"pid %d, injection aborted (Error: %s)",
self.pid, get_error_string(KERNEL32.GetLastError()))
return False
bytes_written = c_int(0)
if not KERNEL32.WriteProcessMemory(self.h_process,
arg,
dll + "\x00",
len(dll) + 1,
byref(bytes_written)):
log.error("WriteProcessMemory failed when injecting process with "
"pid %d, injection aborted (Error: %s)",
self.pid, get_error_string(KERNEL32.GetLastError()))
return False
kernel32_handle = KERNEL32.GetModuleHandleA("kernel32.dll")
load_library = KERNEL32.GetProcAddress(kernel32_handle, "LoadLibraryA")
if apc or self.suspended:
if not self.h_thread:
log.info("No valid thread handle specified for injecting "
"process with pid %d, injection aborted.", self.pid)
return False
if not KERNEL32.QueueUserAPC(load_library, self.h_thread, arg):
log.error("QueueUserAPC failed when injecting process with "
"pid %d (Error: %s)",
self.pid, get_error_string(KERNEL32.GetLastError()))
return False
else:
new_thread_id = c_ulong(0)
thread_handle = KERNEL32.CreateRemoteThread(self.h_process,
None,
0,
load_library,
arg,
0,
byref(new_thread_id))
if not thread_handle:
log.error("CreateRemoteThread failed when injecting process "
"with pid %d (Error: %s)",
self.pid, get_error_string(KERNEL32.GetLastError()))
return False
else:
KERNEL32.CloseHandle(thread_handle)
return True
def check_inject(self):
if not self.pid:
return False
if self.thread_id or self.suspended:
if (self.pid, self.thread_id) in ATTEMPTED_APC_INJECTS:
return False
ATTEMPTED_APC_INJECTS[(self.pid, self.thread_id)] = True
else:
if self.pid in ATTEMPTED_THREAD_INJECTS:
return False
ATTEMPTED_THREAD_INJECTS[self.pid] = True
return True
def inject(self, dll=None, interest=None, nosleepskip=False):
"""Cuckoo DLL injection.
@param dll: Cuckoo DLL path.
@param interest: path to file of interest, handed to cuckoomon config
@param apc: APC use.
"""
global LOGSERVER_POOL
if not self.pid:
return False
thread_id = 0
if self.thread_id:
thread_id = self.thread_id
if not self.is_alive():
log.warning("The process with pid %s is not alive, "
"injection aborted", self.pid)
return False
is_64bit = self.is_64bit()
if not dll:
if is_64bit:
dll = CUCKOOMON64_NAME
else:
dll = CUCKOOMON32_NAME
elif dll == "cawsmon":
if is_64bit:
dll = CAWSMON64_NAME
else:
dll = CAWSMON32_NAME
else:
os.path.join("dll", dll)
dll = os.path.join(os.getcwd(), dll)
if not dll or not os.path.exists(dll):
log.warning("No valid DLL specified to be injected in process "
"with pid %d, injection aborted.", self.pid)
return False
if thread_id or self.suspended:
log.debug("Using QueueUserAPC injection.")
else:
log.debug("Using CreateRemoteThread injection.")
config_path = "C:\\%s.ini" % self.pid
with open(config_path, "w") as config:
cfg = Config("analysis.conf")
cfgoptions = cfg.get_options()
# start the logserver for this monitored process
logserver_path = LOGSERVER_PREFIX + str(self.pid)
if logserver_path not in LOGSERVER_POOL:
LOGSERVER_POOL[logserver_path] = LogServer(cfg.ip, cfg.port, logserver_path)
Process.process_num += 1
firstproc = Process.process_num == 1
config.write("host-ip={0}\n".format(cfg.ip))
config.write("host-port={0}\n".format(cfg.port))
config.write("pipe={0}\n".format(PIPE))
config.write("logserver={0}\n".format(logserver_path))
config.write("results={0}\n".format(PATHS["root"]))
config.write("analyzer={0}\n".format(os.getcwd()))
config.write("first-process={0}\n".format("1" if firstproc else "0"))
config.write("startup-time={0}\n".format(Process.startup_time))
config.write("file-of-interest={0}\n".format(interest))
config.write("shutdown-mutex={0}\n".format(SHUTDOWN_MUTEX))
config.write("terminate-event={0}{1}\n".format(TERMINATE_EVENT, self.pid))
if nosleepskip or ("force-sleepskip" not in cfgoptions and len(interest) > 2 and interest[1] != ':' and interest[0] != '\\' and Process.process_num <= 2):
config.write("force-sleepskip=0\n")
if "norefer" not in cfgoptions and "referrer" not in cfgoptions:
config.write("referrer={0}\n".format(get_referrer_url(interest)))
simple_optnames = [
"force-sleepskip",
"full-logs",
"force-flush",
"no-stealth",
"buffer-max",
"large-buffer-max",
"serial",
"sysvol_ctimelow",
"sysvol_ctimehigh",
"sys32_ctimelow",
"sys32_ctimehigh",
"debug",
"disable_hook_content",
"hook-type",
"exclude-apis",
"exclude-dlls",
"referrer",
]
for optname in simple_optnames:
if optname in cfgoptions:
config.write("{0}={1}\n".format(optname, cfgoptions[optname]))
orig_bin_name = ""
bit_str = ""
if is_64bit:
orig_bin_name = LOADER64_NAME
bit_str = "64-bit"
else:
orig_bin_name = LOADER32_NAME
bit_str = "32-bit"
bin_name = os.path.join(os.getcwd(), orig_bin_name)
if os.path.exists(bin_name):
ret = subprocess.call([bin_name, "inject", str(self.pid), str(thread_id), dll])
if ret != 0:
if ret == 1:
log.info("Injected into suspended %s process with pid %d", bit_str, self.pid)
else:
log.error("Unable to inject into %s process with pid %d, error: %d", bit_str, self.pid, ret)
return False
else:
return True
else:
log.error("Please place the %s binary from cuckoomon into analyzer/windows/bin in order to analyze %s binaries.", os.path.basename(bin_name), bit_str)
return False
def dump_memory(self):
"""Dump process memory.
@return: operation status.
"""
if not self.pid:
log.warning("No valid pid specified, memory dump aborted")
return False
if not self.is_alive():
log.warning("The process with pid %d is not alive, memory "
"dump aborted", self.pid)
return False
bin_name = ""
bit_str = ""
file_path = os.path.join(PATHS["memory"], "{0}.dmp".format(self.pid))
if self.is_64bit():
orig_bin_name = LOADER64_NAME
bit_str = "64-bit"
else:
orig_bin_name = LOADER32_NAME
bit_str = "32-bit"
bin_name = os.path.join(os.getcwd(), orig_bin_name)
if os.path.exists(bin_name):
ret = subprocess.call([bin_name, "dump", str(self.pid), file_path])
if ret == 1:
log.info("Dumped %s process with pid %d", bit_str, self.pid)
else:
log.error("Unable to dump %s process with pid %d, error: %d", bit_str, self.pid, ret)
return False
else:
log.error("Please place the %s binary from cuckoomon into analyzer/windows/bin in order to analyze %s binaries.", os.path.basename(bin_name), bit_str)
return False
nf = NetlogFile(os.path.join("memory", "{0}.dmp".format(self.pid)))
infd = open(file_path, "rb")
buf = infd.read(1024*1024)
try:
while buf:
nf.send(buf, retry=True)
buf = infd.read(1024*1024)
except:
infd.close()
nf.close()
log.warning("Memory dump of process with pid %d failed", self.pid)
return False
infd.close()
nf.close()
log.info("Memory dump of process with pid %d completed", self.pid)
return True
visuaMZ
L!This program cannot be run in DOS mode.
`.rsrc
@.reloc
C+Cdu^
[p/KZ dFBmI
} Ysy
st
c st
@st
c @st
l#333333?[k
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADPHjbb
Color Picker
Custom
System
Alignment Picker
Bottom Center
Bottom Left
Bottom Right
Middle Center
Middle Left
Middle Right
Top Center
Top Left
Top Right
'The assembly '{0}' could not be loaded.
uThe toolbox item could not be retrieved from the toolbox. Try removing the item from the toolbox and adding it back.
The toolbox item could not be retrieved from the toolbox. Make sure the assembly that contains the toolbox item is correctly installed. The toolbox item raised the following error: {0}
Bitmap files
Icon files
All image files
Metafiles
v2.0.50727
#Strings
<Module>
System.Drawing.Design.dll
SRDescriptionAttribute
System.Drawing.Design
SRCategoryAttribute
ExternDll
System
ImageEditor
BitmapEditor
ColorEditor
ColorPalette
ColorPaletteAccessibleObject
ColorCellAccessibleObject
ColorUI
ColorEditorListBox
ColorEditorTabControl
CustomColorDialog
SystemColorComparer
StandardColorComparer
ContentAlignmentEditor
ContentUI
CursorEditor
CursorUI
DesignerToolboxInfo
FontEditor
FontNameEditor
IconEditor
MetafileEditor
NativeMethods
ToolboxService
DomainProxyObject
FilterSupport
ToolboxItemCreator
ToolboxItemContainer
BrokenToolboxItem
ToolboxItemSerializer
ToolboxSerializationBinder
UnsafeNativeMethods
System.ComponentModel
DescriptionAttribute
CategoryAttribute
mscorlib
Object
System.Drawing
UITypeEditor
System.Windows.Forms
Control
ControlAccessibleObject
AccessibleObject
ListBox
TabControl
ColorDialog
System.Collections
IComparer
IDisposable
IToolboxService
System.ComponentModel.Design
IComponentDiscoveryService
MarshalByRefObject
System.Runtime.Serialization
ISerializable
ToolboxItem
SerializationBinder
replaced
get_Description
Description
GetLocalizedString
imageFileDescription
ColorEditorSystemTab
ColorEditorStandardTab
bitmapFileDescription
ColorEditorPaletteTab
iconFileDescription
metafileFileDescription
ContentAlignmentEditorAccName
ContentAlignmentEditorTopLeftAccName
ContentAlignmentEditorTopCenterAccName
ContentAlignmentEditorTopRightAccName
ContentAlignmentEditorMiddleLeftAccName
ContentAlignmentEditorMiddleCenterAccName
ContentAlignmentEditorMiddleRightAccName
ContentAlignmentEditorBottomLeftAccName
ContentAlignmentEditorBottomCenterAccName
ContentAlignmentEditorBottomRightAccName
ColorEditorAccName
ToolboxServiceBadToolboxItem
ToolboxServiceBadToolboxItemWithException
ToolboxServiceAssemblyNotFound
loader
System.Resources
ResourceManager
resources
s_InternalSyncObject
get_InternalSyncObject
GetLoader
System.Globalization
CultureInfo
get_Culture
get_Resources
GetString
GetObject
InternalSyncObject
Culture
Resources
Activeds
Advapi32
Comctl32
Comdlg32
Gdiplus
Hhctrl
Kernel32
Loadperf
Mscoree
Mscorwks
Oleacc
Oleaut32
Olepro32
PerfCounter
Powrprof
Shell32
Shfolder
User32
Uxtheme
Winspool
Wtsapi32
Version
Vsassert
Shlwapi
Crypt32
Odbc32
OciDll
OraMtsDll
imageExtenders
FileDialog
fileDialog
GetImageExtenders
CreateExtensionsString
CreateFilterEntry
ITypeDescriptorContext
IServiceProvider
EditValue
UITypeEditorEditStyle
GetEditStyle
GetFileDialogDescription
GetExtensions
GetPaintValueSupported
System.IO
Stream
LoadFromStream
PaintValueEventArgs
PaintValue
colorUI
CELLS_ACROSS
CELLS_DOWN
CELLS_CUSTOM
CELL_SIZE
MARGIN
staticCells
staticColors
selectedColor
customColors
EventHandler
onPicked
get_CustomColors
get_FocusedCell
get_SelectedColor
set_SelectedColor
add_Picked
remove_Picked
CreateAccessibilityInstance
EventArgs
OnPicked
Rectangle
FillRectWithCellBounds
GetCellFromColor
GetColorFromCell
GetCell2DFromLocationMouse
GetCellFromLocationMouse
Get1DFrom2D
Get2DFrom1D
InvalidateSelection
InvalidateFocus
IsInputKey
LaunchDialog
OnGotFocus
KeyEventArgs
OnKeyDown
OnLostFocus
MouseEventArgs
OnMouseDown
OnMouseMove
OnMouseUp
PaintEventArgs
OnPaint
Graphics
ProcessDialogKey
SetFocus
CustomColors
FocusedCell
SelectedColor
Picked
get_ColorPalette
GetChildCount
GetChild
HitTest
parent
get_Bounds
get_Name
get_Parent
AccessibleRole
get_Role
AccessibleStates
get_State
get_Value
Bounds
Parent
editor
System.Windows.Forms.Design
IWindowsFormsEditorService
tabControl
TabPage
systemTabPage
commonTabPage
paletteTabPage
lbSystem
lbCommon
systemColorConstants
colorConstants
commonHeightSet
systemHeightSet
get_ColorValues
set_CustomColors
get_EditorService
get_SystemColorValues
AdjustColorUIHeight
AdjustListBoxItemHeight
GetBestColor
GetConstants
InitializeComponent
OnFontChanged
OnListClick
DrawItemEventArgs
OnListDrawItem
OnListKeyDown
OnPalettePick
OnTabControlResize
OnTabControlSelChange
ColorValues
EditorService
SystemColorValues
COLOR_HUE
COLOR_SAT
COLOR_LUM
COLOR_RED
COLOR_GREEN
COLOR_BLUE
COLOR_ADD
COLOR_MIX
hInstance
get_Instance
get_Options
Dispose
HookProc
Instance
Options
Compare
contentUI
RadioButton
topLeft
topCenter
topRight
middleLeft
middleCenter
middleRight
bottomLeft
bottomCenter
bottomRight
ContentAlignment
get_Align
set_Align
get_ShowFocusCues
InitComponent
OptionClick
get_CheckedControl
set_CheckedControl
ShowFocusCues
CheckedControl
cursorUI
get_IsDropDownResizable
IsDropDownResizable
TypeConverter
cursorConverter
OnClick
OnDrawItem
_toolboxService
IDesignerHost
ISelectionService
_selectionService
ArrayList
_filter
IDesigner
_filterDesigner
IToolboxUser
_toolboxUser
Hashtable
_attributeHash
get_DesignerHost
ICollection
get_Filter
get_ToolboxUser
RefreshEventArgs
OnTypeDescriptorRefresh
AttributeCollection
GetDesignerAttributes
RecurseDesignerTree
OnDesignerDisposed
OnSelectionChanged
Update
System.IDisposable.Dispose
DesignerHost
Filter
ToolboxUser
FontDialog
fontDialog
FontFamily
FontStyle
DrawFontSample
EM_GETSEL
EM_SETSEL
EM_GETRECT
EM_SETRECT
EM_SETRECTNP
EM_SCROLL
EM_LINESCROLL
EM_SCROLLCARET
EM_GETMODIFY
EM_SETMODIFY
EM_GETLINECOUNT
EM_LINEINDEX
EM_SETHANDLE
EM_GETHANDLE
EM_GETTHUMB
EM_LINELENGTH
EM_REPLACESEL
EM_GETLINE
EM_LIMITTEXT
EM_CANUNDO
EM_UNDO
EM_FMTLINES
EM_LINEFROMCHAR
EM_SETTABSTOPS
EM_SETPASSWORDCHAR
EM_EMPTYUNDOBUFFER
EM_GETFIRSTVISIBLELINE
EM_SETREADONLY
EM_SETWORDBREAKPROC
EM_GETWORDBREAKPROC
EM_GETPASSWORDCHAR
EM_SETMARGINS
EM_GETMARGINS
EM_SETLIMITTEXT
EM_GETLIMITTEXT
EM_POSFROMCHAR
EM_CHARFROMPOS
EC_LEFTMARGIN
EC_RIGHTMARGIN
EC_USEFONTINFO
IDCANCEL
IDABORT
IDRETRY
IDIGNORE
IDCLOSE
IDHELP
WM_INITDIALOG
SWP_NOSIZE
SWP_NOMOVE
SWP_NOZORDER
SWP_NOREDRAW
SWP_NOACTIVATE
SWP_FRAMECHANGED
SWP_SHOWWINDOW
SWP_HIDEWINDOW
SWP_NOCOPYBITS
SWP_NOOWNERZORDER
SWP_NOSENDCHANGING
SWP_DRAWFRAME
SWP_NOREPOSITION
SWP_DEFERERASE
SWP_ASYNCWINDOWPOS
WM_COMMAND
CC_FULLOPEN
CC_PREVENTFULLOPEN
CC_SHOWHELP
CC_ENABLEHOOK
CC_ENABLETEMPLATE
CC_ENABLETEMPLATEHANDLE
CC_SOLIDCOLOR
CC_ANYCOLOR
InvalidIntPtr
SendDlgItemMessage
GetDlgItem
EnableWindow
SetWindowPos
GetDlgItemInt
PostMessage
MAKELONG
MAKELPARAM
HIWORD
LOWORD
SignedHIWORD
SignedLOWORD
lstrlen
RegisterWindowMessage
IDesignerEventService
_designerEventService
_globalCreators
_designerCreators
_lastMergedHost
_lastMergedCreators
_lastState
_domainObject
AppDomain
_domain
System.Runtime.Remoting.Lifetime
ClientSponsor
_domainObjectSponsor
CategoryNameCollection
get_CategoryNames
get_SelectedCategory
set_SelectedCategory
get_SelectedItemContainer
set_SelectedItemContainer
CreateItemContainer
IDataObject
FilterChanged
GetCreatorCollection
GetFilterSupport
GetItemContainers
GetToolboxItem
System.Reflection
Assembly
GetToolboxItems
AssemblyName
IsItemContainer
IsItemContainerSupported
OnDesignerInfoChanged
Refresh
SelectedItemContainerUsed
SetCursor
UnloadToolboxItems
System.Drawing.Design.IToolboxService.get_CategoryNames
System.Drawing.Design.IToolboxService.get_SelectedCategory
System.Drawing.Design.IToolboxService.set_SelectedCategory
ToolboxItemCreatorCallback
System.Drawing.Design.IToolboxService.AddCreator
AddCreator
System.Drawing.Design.IToolboxService.AddLinkedToolboxItem
AddLinkedToolboxItem
System.Drawing.Design.IToolboxService.AddToolboxItem
AddToolboxItem
System.Drawing.Design.IToolboxService.DeserializeToolboxItem
DeserializeToolboxItem
System.Drawing.Design.IToolboxService.GetSelectedToolboxItem
GetSelectedToolboxItem
ToolboxItemCollection
System.Drawing.Design.IToolboxService.GetToolboxItems
System.Drawing.Design.IToolboxService.IsSupported
IsSupported
System.Drawing.Design.IToolboxService.IsToolboxItem
IsToolboxItem
System.Drawing.Design.IToolboxService.Refresh
System.Drawing.Design.IToolboxService.RemoveCreator
RemoveCreator
System.Drawing.Design.IToolboxService.RemoveToolboxItem
RemoveToolboxItem
System.Drawing.Design.IToolboxService.SelectedToolboxItemUsed
SelectedToolboxItemUsed
System.Drawing.Design.IToolboxService.SerializeToolboxItem
SerializeToolboxItem
System.Drawing.Design.IToolboxService.SetCursor
System.Drawing.Design.IToolboxService.SetSelectedToolboxItem
SetSelectedToolboxItem
System.ComponentModel.Design.IComponentDiscoveryService.GetComponentTypes
GetComponentTypes
CategoryNames
SelectedCategory
SelectedItemContainer
System.Drawing.Design.IToolboxService.CategoryNames
System.Drawing.Design.IToolboxService.SelectedCategory
value__
NotSupported
Supported
Custom
_callback
_format
Create
get_Format
Format
_localClipboardFormat
_itemClipboardFormat
_hashClipboardFormat
_serializationFormats
_serializationValues
_clipboardVersion
_hashCode
_toolboxItem
_dataObject
SerializationInfo
StreamingContext
get_IsCreated
get_IsTransient
get_ToolboxData
UpdateFilter
ContainsFormat
Equals
GetFilter
GetHashCode
GetObjectData
MergeFilter
System.Runtime.Serialization.ISerializable.GetObjectData
IsCreated
IsTransient
ToolboxData
_exceptionString
IComponent
CreateComponentsCore
_assemblyNameKey
_streamKey
System.Runtime.Serialization.Formatters.Binary
BinaryFormatter
_formatter
get_ToolboxItem
_assemblies
_namePart
BindToType
OBJID_CLIENT
System.Runtime.InteropServices
HandleRef
ClientToScreen
ScreenToClient
GetFocus
NotifyWinEvent
System.Runtime.CompilerServices
RuntimeCompatibilityAttribute
AssemblyKeyFileAttribute
AssemblyDelaySignAttribute
NeutralResourcesLanguageAttribute
SatelliteContractVersionAttribute
AssemblyInformationalVersionAttribute
AssemblyFileVersionAttribute
AssemblyVersionAttribute
AssemblyCopyrightAttribute
AssemblyProductAttribute
AssemblyCompanyAttribute
AssemblyDefaultAliasAttribute
AssemblyDescriptionAttribute
AssemblyTitleAttribute
CLSCompliantAttribute
ComVisibleAttribute
System.Diagnostics
DebuggableAttribute
DebuggingModes
CompilationRelaxationsAttribute
AttributeUsageAttribute
AttributeTargets
description
set_DescriptionValue
category
System.Threading
Interlocked
CompareExchange
GetType
get_Assembly
Monitor
ParamArrayAttribute
String
get_Length
Substring
Concat
get_CurrentCulture
IFormatProvider
System.Security.Permissions
SecurityPermissionAttribute
SecurityAction
extensions
context
provider
RuntimeTypeHandle
GetTypeFromHandle
GetService
OpenFileDialog
Activator
BindingFlags
Binder
CreateInstance
IsInstanceOfType
set_Filter
CommonDialog
DialogResult
ShowDialog
get_FileName
FileStream
FileMode
FileAccess
FileShare
IntPtr
op_Inequality
AddRange
ToArray
stream
MemoryStream
FromStream
get_Width
set_Width
get_Height
set_Height
get_Graphics
SystemPens
get_WindowFrame
DrawRectangle
DrawImage
.cctor
PermissionSetAttribute
Bitmap
DropDownControl
SolidBrush
FillRectangle
ControlStyles
SetStyle
SystemColors
get_Control
set_BackColor
set_Size
ColorTranslator
FromOle
Delegate
Combine
Remove
Invoke
across
Inflate
Invalidate
get_Handle
keyData
customIndex
CloseDropDown
get_Color
Component
get_KeyCode
MouseButtons
get_Button
Contains
get_BackColor
get_ClientRectangle
get_ControlText
ControlPaint
ButtonBorderStyle
DrawBorder
get_Focused
DrawFocusRectangle
newFocus
<PrivateImplementationDetails>{89757899-423F-490E-B04A-72754CC2C429}
CompilerGeneratedAttribute
ValueType
__StaticArrayInitTypeSize=192
$$method0x600011b-1
RuntimeHelpers
RuntimeFieldHandle
InitializeArray
get_Owner
ToString
get_White
get_Size
GetTabRect
get_Font
set_ItemHeight
ToArgb
enumType
PropertyInfo
GetProperties
get_PropertyType
MethodInfo
GetGetMethod
MethodBase
MethodAttributes
get_Attributes
GetValue
set_AccessibleName
TabPageCollection
get_TabPages
set_TabStop
set_SelectedTab
add_SelectedIndexChanged
DockStyle
set_Dock
add_Resize
DrawMode
set_DrawMode
BorderStyle
set_BorderStyle
set_IntegralHeight
set_Sorted
add_Click
DrawItemEventHandler
add_DrawItem
KeyEventHandler
add_KeyDown
add_FontChanged
ObjectCollection
get_Items
ControlCollection
get_Controls
sender
get_SelectedItem
get_Index
get_Item
DrawBackground
get_WindowText
get_ForeColor
DrawString
SetBounds
set_Bounds
set_Location
get_SelectedTab
System.Windows.Forms.Layout
ArrangedElementCollection
get_Count
get_SelectedIndex
set_SelectedItem
ListControl
Module
get_Module
GetManifestResourceStream
get_Position
Marshal
AllocHGlobal
disposing
FreeHGlobal
wParam
lParam
op_Explicit
set_Color
Boolean
FromArgb
get_InvariantCulture
GetHue
GetSaturation
GetBrightness
get_Checked
set_Checked
set_ForeColor
set_TabIndex
set_Text
Appearance
set_Appearance
AnchorStyles
set_Anchor
get_TabIndex
get_IsHandleCreated
Cursors
Cursor
get_Default
TypeDescriptor
GetConverter
GetStandardValuesSupported
GetStandardValues
IEnumerable
IEnumerator
GetEnumerator
get_Current
MoveNext
ConvertToString
SystemBrushes
DrawStretched
set_SelectedIndex
toolboxService
add_SelectionChanged
get_RootComponent
add_Disposed
RefreshEventHandler
add_Refreshed
get_ComponentChanged
designer
ArgumentNullException
ITreeDesigner
GetDesigner
get_Values
Attribute
CopyTo
GetAttributes
get_TypeId
set_Item
IServiceContainer
RemoveService
get_PrimarySelection
ToolboxItemFilterAttribute
ToolboxItemFilterType
get_FilterType
remove_SelectionChanged
remove_Disposed
remove_Refreshed
set_ShowApply
set_ShowColor
set_AllowVerticalFonts
set_Font
op_Equality
get_ActiveCaption
get_Right
get_Bottom
DrawLine
fontFamily
fontStyle
GraphicsUnit
get_ActiveCaptionText
RectangleF
op_Implicit
DrawIcon
System.Drawing.Imaging
Metafile
DllImportAttribute
user32.dll
nIDDlgItem
enable
hWndInsertAfter
signed
wparam
lparam
kernel32.dll
StructLayoutAttribute
LayoutKind
dataObject
itemFilter
targetFilter
get_FilterString
categoryName
toolType
nonPublic
get_IsPublic
get_IsNestedPublic
IsAssignableFrom
get_IsAbstract
ToolboxItemAttribute
IsDefaultAttribute
get_ToolboxItemType
ConstructorInfo
GetConstructor
Initialize
get_ContainsGenericParameters
newCodeBase
throwOnError
get_GlobalAssemblyCache
GetName
set_CodeBase
GetTypes
IContainer
set_AssemblyName
CreateDomain
get_FullName
CreateInstanceAndUnwrap
TimeSpan
Register
Deserialize
GetDataPresent
container
AddService
GetToolSupported
get_ActiveDesigner
get_Cross
set_Current
Unload
creator
format
toolboxItem
serializedObject
DataObject
filterAttributes
RemoveAt
designerHost
baseType
ReadOnlyCollectionBase
get_CodeBase
get_LocalPath
LoadFrom
ArgumentException
ReflectionTypeLoadException
Exception
get_LoaderExceptions
get_Message
Serialize
GetBuffer
FileNotFoundException
BadImageFormatException
IOException
callback
SerializableAttribute
SetData
get_DisplayName
get_AssemblyName
get_TypeName
BinaryWriter
creators
GetData
BinaryReader
ReadInt16
ReadString
GetFormats
AddValue
exceptionString
InvalidOperationException
get_Binder
set_Binder
assemblyName
typeName
StartsWith
Exists
System.Security
SuppressUnmanagedCodeSecurityAttribute
InAttribute
OutAttribute
winEvent
objType
System.Drawing.Design.SR.resources
System.Drawing.Design.colordlg.data
IJruL)
(]b,e,
=t]o-~^
System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Security.Permissions.SecurityPermissionFlag, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Security.Permissions.PermissionSetAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
FullTrust
System.Security.Permissions.PermissionSetAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
FullTrust
System.Security.Permissions.PermissionSetAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
FullTrust
System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Security.Permissions.SecurityPermissionFlag, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
WrapNonExceptionThrows
*f:\RedBits\Tools\devdiv\FinalPublicKey.snk
2.0.0.0
2.0.50727.1433
Microsoft Corporation. All rights reserved.
Microsoft
.NET Framework
Microsoft Corporation
System.Drawing.Design.dll
RSDS7=
`BKkfz
System.Drawing.Design.pdb
_CorDllMain
mscoree.dll
visuaMZ
L!This program cannot be run in DOS mode.
BBB^BhB^BgBC
B[BDB_BRichB
`.data
@.reloc
TypeLib
Software
SYSTEM
SECURITY
Hardware
Interface
FileType
Component Categories
PDelete
NoRemove
ForceRemove
P P- P1P2Pb3PE4PW4P4P>!P92P P
!PHKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
FUnRegisterTypeLib
oleaut32.dll
vsansi.dll
Yvsansi.dll
SOFTWARE\Microsoft\VSAnsi
JFPNFP,
\\cpvsbuild\drops\ofc10.0\raw\9122\vsbuilt\retail\bin\i386\vspkgs\cmddef.pdb
SVWeue
WgP_D$
;5hPr3^
s(W3;t
V $9>u5hP
;5hPr_^[UQQS]
hPhgPt$
Vq(;]ti
9 u-MEhP]_9 u
h|hPEE[
3;t/'F
P;unVPP
;tGWtB5
tF;t.P
SVWe3uQ
AAf:'u
AABBf!
PYYu'35(
^3[V3N
_^Ujhp
SVWe3uQ
_^[US39]
;tSSWVju
UQQS39]
SSWVju
;|C{uq9]
3@3U,E
7@PQEP
UQS39]
;tSSWVju
u3@e_^[
UQQS39
VW]tl9C
PPSVjWPP
|3e_^[
u PP6W
P?{u:W
uL9]tGh
PSVSSSWu
9]tLuM
t= PP3u
SVW3P}u;
WSjPVVf3
PEPVVS
39u~7M
G;}|3E
V348hPt$
<0|#<9~
UQ3PPPPPPPMQPPPu
?=u/W-|'
33Mu;uPW=
P;u6EPVVVEPPVuE
P_MF^[
UQS39]
SSu Wju
SSWVju
;tSSWVju
UQS39]
SSu Wju
SSWVju
;tSSWVju
SEPVWu
UQQS39]
;tSSWVju
MVe_^[
Vjt$ Pt$0
t%Vf6f\t
SVQPNu
bulEPh4
P|Q93WtI}
u3_M^[
VWEPEPu
PQ0?hD
VEPEPSu
(|jWuPt,=gPPS+u
sH7;t59E
sH7t4}
s(W3tF
s(W3tF
gPPPPEPP{
VVPEPP\
PPVVP@
P<j2$Pu
PUQQSVW39]
}tg9 t
UQQSVW39}
YYj\u$
;YYtsh
;t&E;t U
ZYQRhgPL$
t)3I;M
4 QPBu3_^[]
Pu^EPPEPSh
P^[Ul$
E@E|EPMT33}8}\EH$
M`MdMhu EHE|E|Pj
E,0E|+E0ul
M\u#EPE
@lhPEXuWtSuT3I
P3fu0=lhP
EHPYEx
thP3;t
EluQuT
PEhphP;t
Elu EHE|E|Pj
P;Elt'39{
P3thP;
u<M@9H
u4;p4u/u0bu8Y
ExYu\V
PEhphP;t
Ex9}xu
EHExExPj
PEdExExM|
M`MxMdMHQj
Ex_^[p
xhPY?u<hPt3
u7WPSt
u&WVSu
PhhPhhPt$
SVWeEh
_^[Ujh
SVWeEp
|hPth(HPZY
h2HPDY
hP#|hPyhP
lstrlenW
GetModuleFileNameW
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
DisableThreadLibraryCalls
InterlockedIncrement
InterlockedDecrement
MultiByteToWideChar
lstrlenA
GetShortPathNameA
GetModuleHandleA
GetModuleFileNameA
WideCharToMultiByte
FreeLibrary
SizeofResource
LoadResource
FindResourceA
LoadLibraryExA
GetLastError
lstrcmpiA
lstrcpynA
IsDBCSLeadByte
CloseHandle
ReadFile
GetFileSize
CreateFileA
lstrcpyA
lstrcatA
GetProcAddress
LoadLibraryA
LocalAlloc
InterlockedExchange
GetVersionExA
RaiseException
KERNEL32.dll
CharNextA
USER32.dll
RegDeleteKeyA
RegCreateKeyExA
RegDeleteValueA
RegCloseKey
RegOpenKeyExA
RegSetValueExA
RegQueryInfoKeyA
RegEnumKeyExA
RegQueryValueExA
ADVAPI32.dll
CoCreateInstance
CoTaskMemFree
CoTaskMemAlloc
CoTaskMemRealloc
StringFromGUID2
ole32.dll
OLEAUT32.dll
??3@YAXPAX@Z
_except_handler3
realloc
??2@YAPAXI@Z
wcscat
_wmakepath
_wsplitpath
swprintf
wcschr
wcslen
_initterm
malloc
_adjust_fdiv
MSVCR70.dll
__dllonexit
_onexit
memset
cmddef.dll
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
VSDllRegisterServer
VSDllUnregisterServer
P=L9o<
hfP`PPXfP`PPHfP`PP8fP`PP(fP`PP
fP`PPeP`PPeP`PPeP`PPeP`PPeP`PPeP`PPeP`PPeP`PPlePxPPTePxPPDePxPP4ePPP(ePPP
ePPPdPPPdPPPdPPPdPPPdPPPdPPPdPPPdPPPxdPPPldPPPTdPPP@dPPP,dPPP
dPPPcPPPcPPPcPPPcPPPcPPPcPPP|cPPPlcPPP`cPPPTcPPPDcPPP8cPPP$cPPP
cPPPbPPPbPPPbPPPbPPPbPPPbPPPbPPPtbPPPTbPPPDbPPP4bPPP$bPPP
bPPPaPPPaPPPaPPPaPPPaPPPaPPPaPPPpaPPPXaPPPDaPPP,aPPP
aPPP`PPP`PPP`PPP`PPP`PPP`PPPt`PPP``PPPL`PPP8`PPP(`PPP
`PPP_PPP_PPP_PPP_PPP_PPP_PPP_PPP|_PPPp_PPPd_PPPX_PPPL_PPP@_PPP4_PPP(_PPP
_PPP^PPP^PPP^PPP^PPP^PPP^PPP^PPPd^PPPP^PPP<^PPP,^PPP
^PPP]PPP]PPP]PPP]PPP]PPP]PPP]PPPx]PPPh]PPPX]PPPL]PPP@]PPP4]PPP(]PPP
]PPP\PPP\PPP\PPP\PPP\PPP\PPPp\PPP`\PPPT\PPPD\PPP0\PPP \PPP
\PPP[PPP[PPP[PPP[PPP[PPP[PPP[PPP[PPP[PPPp[PPPd[PPPX[PPP@[PPP0[PPP
[PPPZPPPZPPPZPPPZPPPZPPPZPPPZPPPZPPPZPPPtZPPP`ZPPPTZPPPHZPPP8ZPPP,ZPPP
ZPPPYPPPYPPPYPPPYPPPYPPPYPPPtYPPPhYPPPTYPPPDYPPP0YPPP YPPP
YPPPXPPPXPPPXPPPXPPPXPPPXPPPXPPP|XPPPhXPPP\XPPPPXPPPDXPPP8XPPP XP
OpenPrinterW
DocumentPropertiesW
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
wsprintfW
wvsprintfW
WinHelpW
VkKeyScanW
UnregisterClassW
TranslateAcceleratorW
TabbedTextOutW
SystemParametersInfoW
SetWindowTextW
SetWindowsHookExW
SetWindowLongW
SetPropW
SetMenuItemInfoW
SetDlgItemTextW
SetClassLongW
SendNotifyMessageW
SendMessageW
SendDlgItemMessageW
RemovePropW
RegisterWindowMessageW
RegisterClipboardFormatW
RegisterClassExW
RegisterClassW
PostThreadMessageW
PostMessageW
PeekMessageW
OemToCharW
ModifyMenuW
MessageBoxIndirectW
MessageBoxW
MapVirtualKeyW
LoadStringW
LoadMenuW
LoadMenuIndirectW
LoadImageW
LoadIconW
LoadCursorW
LoadBitmapW
LoadAcceleratorsW
IsDialogMessageW
IsCharAlphaW
IsCharAlphaNumericW
InsertMenuW
GrayStringW
GetWindowTextW
GetWindowTextLengthW
GetWindowLongW
GetTabbedTextExtentW
GetPropW
GetMessageW
GetDlgItemTextW
GetClassNameW
GetClassLongW
GetClassInfoExW
GetClassInfoW
FindWindowW
DrawTextW
DrawTextExW
DispatchMessageW
DialogBoxParamW
DialogBoxIndirectParamW
DefWindowProcW
DefMDIChildProcW
DefFrameProcW
DefDlgProcW
DdeInitializeW
DdeCreateStringHandleW
CreateWindowExW
CreateMDIWindowW
CreateDialogParamW
CreateDialogIndirectParamW
CreateAcceleratorTableW
CopyAcceleratorTableW
CharUpperW
CharUpperBuffW
CharToOemW
CharPrevW
CharNextW
CharLowerW
CharLowerBuffW
CallWindowProcW
AppendMenuW
SHGetPathFromIDListW
SHGetFileInfoW
ShellExecuteExW
Shell_NotifyIconW
SHBrowseForFolderW
FindExecutableW
ExtractIconExW
ExtractIconW
ExtractAssociatedIconW
DragQueryFileW
StgCreateDocfile
WNetGetConnectionW
WritePrivateProfileStringW
VerLanguageNameW
SetLocaleInfoW
SetFileAttributesW
SetEnvironmentVariableW
SetCurrentDirectoryW
SearchPathW
RemoveDirectoryW
OutputDebugStringW
MoveFileW
MoveFileExW
lstrlenW
lstrcpyW
lstrcpynW
lstrcmpW
lstrcmpiW
lstrcatW
LoadLibraryW
LoadLibraryExW
LCMapStringW
IsBadStringPtrW
GlobalGetAtomNameW
GlobalFindAtomW
GlobalAddAtomW
GetVolumeInformationW
GetVersionExW
GetTimeFormatW
GetTempPathW
GetTempFileNameW
GetSystemDirectoryW
GetStringTypeExW
GetShortPathNameW
GetProfileIntW
GetPrivateProfileStringW
GetPrivateProfileIntW
GetNumberFormatW
GetModuleHandleW
GetModuleFileNameW
GetLocaleInfoW
GetFullPathNameW
GetFileAttributesExW
GetFileAttributesW
GetEnvironmentStringsW
GetEnvironmentVariableW
GetDriveTypeW
GetDiskFreeSpaceExW
GetDateFormatW
GetCurrencyFormatW
GetCurrentDirectoryW
GetComputerNameW
FreeEnvironmentStringsW
FormatMessageW
FindResourceW
FindNextFileW
FindFirstFileW
FindFirstChangeNotificationW
FatalAppExitW
ExpandEnvironmentStringsW
DeleteFileW
CreateSemaphoreW
CreateProcessW
CreateMutexW
CreateFileW
CreateFileMappingW
CreateEventW
CreateDirectoryW
CreateDirectoryExW
CopyFileW
CompareStringW
StartDocW
ResetDCW
GetTextMetricsW
GetTextFaceW
GetTextExtentExPointW
GetTextExtentPointW
GetTextExtentPoint32W
GetOutlineTextMetricsW
GetObjectW
GetKerningPairsW
GetGlyphOutlineW
GetCharWidthW
GetCharWidthFloatW
GetCharABCWidthsW
GetCharABCWidthsFloatW
ExtTextOutW
CreateMetaFileW
CreateICW
CreateFontW
CreateFontIndirectW
CreateEnhMetaFileW
CreateDCW
CopyMetaFileW
PrintDlgW
GetSaveFileNameW
GetOpenFileNameW
GetFileTitleW
ChooseFontW
ChooseColorW
PropertySheetW
ImageList_LoadImageW
CreatePropertySheetPageW
RegSetValueW
RegSetValueExW
RegQueryValueW
RegQueryValueExW
RegQueryInfoKeyW
RegOpenKeyW
RegOpenKeyExW
RegEnumKeyExW
RegEnumValueW
RegEnumKeyW
RegDeleteValueW
RegDeleteKeyW
RegCreateKeyW
RegCreateKeyExW
GetUserNameW
winspool.drv
winmm.dll
version.dll
user32.dll
url.dll
shell32.dll
rpcrt4.dll
rasapi32.dll
opengl32.dll
oledlg.dll
ole32.dll
mswsock.dll
msvfw32.dll
mpr.dll
lz32.dll
kernel32.dll
imm32.dll
gdi32.dll
comdlg32.dll
comctl32.dll
avifil32.dll
avicap32.dll
advapi32.dll
%REGROOTBEGIN%
NoRemove Packages
ForceRemove %MENU_PKG_GUID% = s 'Commands definition Package'
{
val InprocServer32 = s '%MODULE%'
ForceRemove SatelliteDll
{
val DllName = s 'cmddefui.dll'
val Path = s '%MODULE_DIR%'
}
}
NoRemove Menus
ForceRemove val %MENU_PKG_GUID% = s '%MENU_RES%'
%REGROOTEND%
11111111@2D2H2L2P2T2X2\2222222222224383<3@3D3H3L3P3T3X3\3`3d3h3l3t3x384@4H4P4X4`4h4p4x444444444444445555555555555555(6,6064686<6@6D66666666666666666666
7777777
8Y8b8z8888A9]999D::::::::::
;q;;;;$<T<Z<_<l<<<<<
=H=Z=l==
><>A>d>
??????
"0J0g00000T1~1111
22n33333%444
5#5:555
616h6666
7D7Q7777
8(818>888888
<7<V<t<<<<===<>m>z>>7?Q??????????????
0"0:00*1r111
2O2y222#33333
6+6G6s6y6666
7>7S7[7a7
8*818V8u88
9%9C:R:\:f:}:;;:<d<<<<<<<<<&=<=s===0>P>o>>>>>
?!?R????????
0$0=0H0h00
1 161E1l1y111111*2>2T2a2h2s2z22
363I333333333333333
4"4(4I4[44440565<5E5J5O5t5z5555555555
6,636l666666F7v777777777
8 8)838
0 0$0(0,0004080<0@0D0H0L0`0h0p0x00000000000000000
1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|111111111111111111111111111111111
2 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2d2h2l2p2t2x2|222222222222222222222222222222222
3 3$3(3,3034383<3@3D3H3L3P3T3X3\3`3d3h3l3p3t3x3|333333333333333333333333333333333
4 4$4(4,4044484<4@4D4H4L4P4T4X4\4`4d4h4l4p4t4x4|444444444444444444444444444444444
5 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|555555555555555555555555555555555
6 6$6(6,6064686<6@6D6H6L6P6T6X6\6`6d6h6l6p6t6x6|666666666666666666666666666666666
7 7$7(7,7074787<7@7D7H7L7P7T7X7\7`7d7h7l7p7t7x7|777777777777777777777
TNPPOA
kmsOAMSOFFICE9.0
0*0*0*
`T`T`T`T0*
visua18:35:41 - Startup
18:35:42 - Bound UDP socket waiting for commands, error: 0
18:35:42 - Nothing received yet
18:35:43 - Nothing received yet
18:35:44 - Nothing received yet
18:35:45 - Nothing received yet
18:35:46 - Nothing received yet
18:35:47 - Nothing received yet
18:35:48 - Nothing received yet
18:35:49 - Nothing received yet
18:35:51 - Nothing received yet
18:35:52 - Nothing received yet
18:35:53 - Nothing received yet
18:35:54 - Nothing received yet
visuaMZ
L!This program cannot be run in DOS mode.
`.rsrc
@.reloc
'}JQ|g
Y+\\-%
Gh7<D*pPw9
Wq?pL h7
hQ1EyT
f:\VS70Builds\5077\vsbuilt\retail\bin\i386\msosec.pdb
v1.1.4324
#Strings
<Module>
msosec.dll
mscorlib
System
Object
AssemblyRef
System.Security.Policy
IMembershipCondition
System.Security
ISecurityEncodable
ISecurityPolicyEncodable
OfficeDocumentMembershipCondition
Microsoft.Office.Security.Policy
OfficeDocument
VsAssemblyVer
NdpAssemblyVer
MicrosoftVisualBasicVsa
MicrosoftJScript
MicrosoftVisualBasicVsaDt
Evidence
System.Security.Policy.IMembershipCondition.Check
System.Security.Policy.IMembershipCondition.Copy
System.Security.Policy.IMembershipCondition.Equals
Equals
System.Security.Policy.IMembershipCondition.ToString
ToString
SecurityElement
System.Security.ISecurityEncodable.ToXml
System.Security.ISecurityEncodable.FromXml
FromXml
PolicyLevel
System.Security.ISecurityPolicyEncodable.ToXml
System.Security.ISecurityPolicyEncodable.FromXml
System.Reflection
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyDescriptionAttribute
AssemblyTitleAttribute
AssemblyCompanyAttribute
AssemblyKeyFileAttribute
AssemblyDelaySignAttribute
AssemblyFileVersionAttribute
AssemblyVersionAttribute
msosec
SerializableAttribute
rootEvidence
System.Collections
IEnumerator
GetHostEnumerator
get_Current
MoveNext
GetType
String
LastIndexOf
Substring
get_AssemblyQualifiedName
Escape
AddAttribute
ArgumentException
Attribute
op_Inequality
(]b,e,
=t]o-~^
#Visual Studio .NET Tools for Office
8Copyright
Microsoft Corporation. All rights reserved.
Custom membership condition
Microsoft Corporation
<f:\VS70Builds\5077\vs\src\common\security\FinalPublicKey.snk
7.10.5077.0
_CorDllMain
mscoree.dll
visuaL
PO :i
PROGRA~1
NetTime
^Gh^Gh
NetTime.exe
^Gh^Gh
C:\Program Files\NetTime\NetTime.exe
base-xp
TJu'x};
TJu'x};
yrkxeP:#
zgMB6)
{vlaWLB7-"
vr^J6"
'.49>ADFFE
D}A|=|8{2{,{%{
|zwuspnksz
}{xvtromt{
}{ywtrpnu}
}{yxvtrpw~
}{zxvusqx
~|{yxvusz
~|{zxwut{
~}|{yxwv}
~}|{zzyx~
visua[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-8964
C�:�\�U�s�e�r�s�\�A�d�m�i�n�i�s�t�r�a�t�o�r�\�D�e�s�k�t�o�p�\�f�p�_�1�8�.�0�.�0�.�2�0�3�_�a�r�c�h�i�v�e�.�z�i�p�
C�o�l�o�r�E�d�i�t�o�r�A�c�c�N�a�m�e�
C�o�l�o�r�E�d�i�t�o�r�P�a�l�e�t�t�e�T�a�b�
C�o�l�o�r�E�d�i�t�o�r�S�t�a�n�d�a�r�d�T�a�b�
C�o�l�o�r�E�d�i�t�o�r�S�y�s�t�e�m�T�a�b�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�A�c�c�N�a�m�e�#�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�C�e�n�t�e�r�A�c�c�N�a�m�e�5�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�L�e�f�t�A�c�c�N�a�m�e�D�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�R�i�g�h�t�A�c�c�N�a�m�e�Q�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�C�e�n�t�e�r�A�c�c�N�a�m�e�_�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�L�e�f�t�A�c�c�N�a�m�e�n�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�R�i�g�h�t�A�c�c�N�a�m�e�{�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�R�i�g�h�t�A�c�c�N�a�m�e�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�A�s�s�e�m�b�l�y�N�o�t�F�o�u�n�d�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�B�a�d�T�o�o�l�b�o�x�I�t�e�m�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�B�a�d�T�o�o�l�b�o�x�I�t�e�m�W�i�t�h�E�x�c�e�p�t�i�o�n�
b�i�t�m�a�p�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
i�c�o�n�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
i�m�a�g�e�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
m�e�t�a�f�i�l�e�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
D�e�f�i�n�e� �C�o�l�o�r�
M�S� �S�a�n�s� �S�e�r�i�f�
C�o�l�o�r�|�
S�&�o�l�i�d�
&�G�r�e�e�n�:�
B�l�&�u�e�:�
&�A�d�d� �C�o�l�o�r�
&�C�l�o�s�e�
9�"�E�$�E�a�
�!�$�"�%�$�(�
#�"�$�"�%�"�(�'�
S�y�s�t�e�m�.�D�r�a�w�i�n�g�.�D�e�s�i�g�n�.�S�R�
i�m�a�g�e�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
b�i�t�m�a�p�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
C�o�l�o�r�E�d�i�t�o�r�P�a�l�e�t�t�e�T�a�b�
C�o�l�o�r�E�d�i�t�o�r�S�t�a�n�d�a�r�d�T�a�b�
C�o�l�o�r�E�d�i�t�o�r�S�y�s�t�e�m�T�a�b�
C�o�l�o�r�E�d�i�t�o�r�A�c�c�N�a�m�e�
c�o�l�o�r�d�l�g�.�d�a�t�a�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�R�i�g�h�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�R�i�g�h�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�R�i�g�h�t�A�c�c�N�a�m�e�
d�e�s�i�g�n�e�r�
i�c�o�n�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
m�e�t�a�f�i�l�e�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
d�a�t�a�O�b�j�e�c�t�
t�o�o�l�T�y�p�e�
A�s�s�e�m�b�l�y� �E�n�u�m�e�r�a�t�i�o�n� �D�o�m�a�i�n�
c�o�n�t�a�i�n�e�r�
c�r�e�a�t�o�r�
f�o�r�m�a�t�
t�o�o�l�b�o�x�I�t�e�m�
c�a�t�e�g�o�r�y�
s�e�r�i�a�l�i�z�e�d�O�b�j�e�c�t�
f�i�l�t�e�r�A�t�t�r�i�b�u�t�e�s�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�A�s�s�e�m�b�l�y�N�o�t�F�o�u�n�d�
T�b�x�I�C�_�D�a�t�a�O�b�j�e�c�t�F�o�r�m�a�t�s�
T�b�x�I�C�_�D�a�t�a�O�b�j�e�c�t�V�a�l�u�e�s�
C�F�_�T�O�O�L�B�O�X�I�T�E�M�C�O�N�T�A�I�N�E�R�
C�F�_�T�O�O�L�B�O�X�I�T�E�M�C�O�N�T�A�I�N�E�R�_�H�A�S�H�
C�F�_�T�O�O�L�B�O�X�I�T�E�M�C�O�N�T�A�I�N�E�R�_�C�O�N�T�E�N�T�S�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�B�a�d�T�o�o�l�b�o�x�I�t�e�m�W�i�t�h�E�x�c�e�p�t�i�o�n�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�B�a�d�T�o�o�l�b�o�x�I�t�e�m�
A�s�s�e�m�b�l�y�N�a�m�e�
S�t�r�e�a�m�
i�m�a�g�e�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
C�o�l�o�r�E�d�i�t�o�r�S�y�s�t�e�m�T�a�b�
C�o�l�o�r�E�d�i�t�o�r�S�t�a�n�d�a�r�d�T�a�b�
b�i�t�m�a�p�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
C�o�l�o�r�E�d�i�t�o�r�P�a�l�e�t�t�e�T�a�b�
i�c�o�n�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
m�e�t�a�f�i�l�e�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�R�i�g�h�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�R�i�g�h�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�R�i�g�h�t�A�c�c�N�a�m�e�
C�o�l�o�r�E�d�i�t�o�r�A�c�c�N�a�m�e�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�B�a�d�T�o�o�l�b�o�x�I�t�e�m�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�B�a�d�T�o�o�l�b�o�x�I�t�e�m�W�i�t�h�E�x�c�e�p�t�i�o�n�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�A�s�s�e�m�b�l�y�N�o�t�F�o�u�n�d�
a�c�t�i�v�e�d�s�.�d�l�l�
a�d�v�a�p�i�3�2�.�d�l�l�
c�o�m�c�t�l�3�2�.�d�l�l�
c�o�m�d�l�g�3�2�.�d�l�l�
g�d�i�3�2�.�d�l�l�
g�d�i�p�l�u�s�.�d�l�l�
h�h�c�t�r�l�.�o�c�x�
i�m�m�3�2�.�d�l�l�
k�e�r�n�e�l�3�2�.�d�l�l�
L�o�a�d�p�e�r�f�.�d�l�l�
m�s�c�o�r�e�e�.�d�l�l�
m�s�c�o�r�w�k�s�.�d�l�l�
m�s�i�.�d�l�l�
m�q�r�t�.�d�l�l�
n�t�d�l�l�.�d�l�l�
o�l�e�3�2�.�d�l�l�
o�l�e�a�c�c�.�d�l�l�
o�l�e�a�u�t�3�2�.�d�l�l�
o�l�e�p�r�o�3�2�.�d�l�l�
p�e�r�f�c�o�u�n�t�e�r�.�d�l�l�
P�o�w�r�p�r�o�f�.�d�l�l�
p�s�a�p�i�.�d�l�l�
s�h�e�l�l�3�2�.�d�l�l�
s�h�f�o�l�d�e�r�.�d�l�l�
u�s�e�r�3�2�.�d�l�l�
u�x�t�h�e�m�e�.�d�l�l�
w�i�n�m�m�.�d�l�l�
w�i�n�s�p�o�o�l�.�d�r�v�
w�t�s�a�p�i�3�2�.�d�l�l�
v�e�r�s�i�o�n�.�d�l�l�
v�s�a�s�s�e�r�t�.�d�l�l�
s�h�l�w�a�p�i�.�d�l�l�
c�r�y�p�t�3�2�.�d�l�l�
o�d�b�c�3�2�.�d�l�l�
S�y�s�t�e�m�.�D�a�t�a�.�d�l�l�
o�c�i�.�d�l�l�
o�r�a�m�t�s�.�d�l�l�
C�F�_�T�O�O�L�B�O�X�I�T�E�M�C�O�N�T�A�I�N�E�R�
C�F�_�T�O�O�L�B�O�X�I�T�E�M�C�O�N�T�A�I�N�E�R�_�C�O�N�T�E�N�T�S�
C�F�_�T�O�O�L�B�O�X�I�T�E�M�C�O�N�T�A�I�N�E�R�_�H�A�S�H�
T�b�x�I�C�_�D�a�t�a�O�b�j�e�c�t�F�o�r�m�a�t�s�
T�b�x�I�C�_�D�a�t�a�O�b�j�e�c�t�V�a�l�u�e�s�
A�s�s�e�m�b�l�y�N�a�m�e�
S�t�r�e�a�m�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�4�0�9�0�4�B�0�
C�o�m�p�a�n�y�N�a�m�e�
M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
.�N�E�T� �F�r�a�m�e�w�o�r�k�
F�i�l�e�V�e�r�s�i�o�n�
2�.�0�.�5�0�7�2�7�.�1�4�3�3� �(�R�E�D�B�I�T�S�.�0�5�0�7�2�7�-�1�4�0�0�)�
I�n�t�e�r�n�a�l�N�a�m�e�
S�y�s�t�e�m�.�D�r�a�w�i�n�g�.�D�e�s�i�g�n�.�d�l�l�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
�M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�.� � �A�l�l� �r�i�g�h�t�s� �r�e�s�e�r�v�e�d�.�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
S�y�s�t�e�m�.�D�r�a�w�i�n�g�.�D�e�s�i�g�n�.�d�l�l�
P�r�o�d�u�c�t�N�a�m�e�
M�i�c�r�o�s�o�f�t�
�.�N�E�T� �F�r�a�m�e�w�o�r�k�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
2�.�0�.�5�0�7�2�7�.�1�4�3�3�
C�o�m�m�e�n�t�s�
F�l�a�v�o�r�=�R�e�t�a�i�l�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
S�o�f�t�w�a�r�e�\�M�i�c�r�o�s�o�f�t�\�V�i�s�u�a�l�S�t�u�d�i�o�\�7�.�0�
R�E�G�I�S�T�R�Y�
M�o�d�u�l�e�
M�O�D�U�L�E�_�D�I�R�
M�O�D�U�L�E�_�N�A�M�E�
R�E�G�R�O�O�T�E�N�D�
R�E�G�R�O�O�T�B�E�G�I�N�
S�A�P�P�_�O�B�J�E�C�T�
M�E�N�U�_�R�E�S�
M�E�N�U�_�P�K�G�_�G�U�I�D�
�N�o�R�e�m�o�v�e� �
R�E�G�I�S�T�R�Y�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�4�0�9�0�4�B�0�
C�o�m�p�a�n�y�N�a�m�e�
M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
V�i�s�u�a�l� �S�t�u�d�i�o� �E�n�v�i�r�o�n�m�e�n�t� �C�o�m�m�a�n�d� �d�e�f�i�n�i�t�i�o�n� �D�L�L�
F�i�l�e�V�e�r�s�i�o�n�
7�.�0�0�.�9�0�6�4�.�9�1�2�2�
I�n�t�e�r�n�a�l�N�a�m�e�
c�m�d�d�e�f�.�d�l�l�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
C�o�p�y�r�i�g�h�t� �(�C�)� �M�i�c�r�o�s�o�f�t� �C�o�r�p�.� �1�9�9�2�-�2�0�0�1�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
c�m�d�d�e�f�.�d�l�l�
P�r�o�d�u�c�t�N�a�m�e�
M�i�c�r�o�s�o�f�t� �D�e�v�e�l�o�p�m�e�n�t� �E�n�v�i�r�o�n�m�e�n�t�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
7�.�0�0�.�9�0�6�4�.�9�1�2�2�
0�0�0�0�0�4�e�4�
B�u�i�l�t� �b�y�
V�S�B�u�i�l�d�L�a�b�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
I�M�e�m�b�e�r�s�h�i�p�C�o�n�d�i�t�i�o�n�
7�.�0�.�5�0�0�0�.�0�
1�.�0�.�5�0�0�0�.�0�M�i�c�r�o�s�o�f�t�.�V�i�s�u�a�l�B�a�s�i�c�.�V�s�a�,� �V�e�r�s�i�o�n�=�7�.�0�.�5�0�0�0�.�0�,� �C�u�l�t�u�r�e�=�n�e�u�t�r�a�l�,� �P�u�b�l�i�c�K�e�y�T�o�k�e�n�=�b�0�3�f�5�f�7�f�1�1�d�5�0�a�3�a�M�i�c�r�o�s�o�f�t�.�J�S�c�r�i�p�t�,� �V�e�r�s�i�o�n�=�7�.�0�.�5�0�0�0�.�0�,� �C�u�l�t�u�r�e�=�n�e�u�t�r�a�l�,� �P�u�b�l�i�c�K�e�y�T�o�k�e�n�=�b�0�3�f�5�f�7�f�1�1�d�5�0�a�3�a�M�i�c�r�o�s�o�f�t�.�V�i�s�u�a�l�B�a�s�i�c�.�V�s�a�.�D�t�,� �V�e�r�s�i�o�n�=�7�.�0�.�5�0�0�0�.�0�,� �C�u�l�t�u�r�e�=�n�e�u�t�r�a�l�,� �P�u�b�l�i�c�K�e�y�T�o�k�e�n�=�b�0�3�f�5�f�7�f�1�1�d�5�0�a�3�a�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�0�0�0�0�4�b�0�
C�o�m�m�e�n�t�s�
C�u�s�t�o�m� �m�e�m�b�e�r�s�h�i�p� �c�o�n�d�i�t�i�o�n�
C�o�m�p�a�n�y�N�a�m�e�
M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
C�u�s�t�o�m� �m�e�m�b�e�r�s�h�i�p� �c�o�n�d�i�t�i�o�n�
F�i�l�e�V�e�r�s�i�o�n�
7�.�1�0�.�5�0�7�7�.�0�
I�n�t�e�r�n�a�l�N�a�m�e�
m�s�o�s�e�c�.�d�l�l�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
C�o�p�y�r�i�g�h�t�
�M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�.� � �A�l�l� �r�i�g�h�t�s� �r�e�s�e�r�v�e�d�.�
L�e�g�a�l�T�r�a�d�e�m�a�r�k�s�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
m�s�o�s�e�c�.�d�l�l�
P�r�o�d�u�c�t�N�a�m�e�
V�i�s�u�a�l� �S�t�u�d�i�o� �.�N�E�T� �T�o�o�l�s� �f�o�r� �O�f�f�i�c�e�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
7�.�1�0�.�5�0�7�7�.�0�
A�s�s�e�m�b�l�y� �V�e�r�s�i�o�n�
7�.�0�.�5�0�0�0�.�0�
P�r�o�g�r�a�m� �F�i�l�e�s�
N�e�t�T�i�m�e�
N�e�t�T�i�m�e�.�e�x�e�
0�.�.�\�.�.�\�.�.�\�.�.�\�.�.�\�P�r�o�g�r�a�m� �F�i�l�e�s�\�N�e�t�T�i�m�e�\�N�e�t�T�i�m�e�.�e�x�e�
C�:�\�P�r�o�g�r�a�m� �F�i�l�e�s�\�N�e�t�T�i�m�e�
&�'�(�)�+�,�.�0�3�
r�1�1�2�3�4�6�8�
B�B�C�D�E�G�I�
T�T�T�U�V�W�Y�
e�e�e�f�g�h�i�
v�v�v�w�x�y�z�
�#�&�(�*�*�*�
+�*�(�%�"� �
�#�&�(�*�+�+�
)�(�'�%�#�"� � � �!�"�$�&�'�)�)�)�
I�B�;�3�+�#�
^�_�a�b�d�f�i�l�o�s�x�
}�i�Y�H�7�%�
R�N�K�G�C�C�C�C�C�C�C�C�D�D�
}�s�h�^�T�I�?�>�>�=�=�9�4�0�+�'�"�
}�s�h�^�T�I�?�>�>�=�=�9�4�0�+�'�"�
|�i�V�E�4�%�
y� � �}�w�y�
{�s�j�b�Y�_�
w�n�f�]�U�L�R�
}�t�k�b�Y�P�H�?�E�
y�p�h�_�V�M�D�;�2�8�
n�e�[�R�I�@�7�.�%�+�
d�g�k�n�r�u�y�
}�o�a�U�K�B�:�5�1�/�/�1�
"�*�1�:�D�P�
"�)�2�;�D�N�W�`�i�r�v�
!�(�1�9�B�K�T�]�e�n�r�
�'�/�8�@�I�Q�Y�b�j�m�
�&�.�6�>�F�N�V�^�f�i�
%�-�4�<�D�K�S�Z�b�d�
$�+�3�:�B�I�P�W�^�`�
#�*�1�8�?�E�L�S�Z�\�\�
!�(�.�5�<�C�I�P�V�X�X�
�&�-�3�9�@�F�L�R�S�T�
�%�+�1�7�=�C�I�O�O�O�O�
#�4�D�T�e�w�
M�S�E�.�H�X�S�
M�S�E�.�H�X�S�
C�:�\�P�r�o�g�r�a�m� �F�i�l�e�s� �(�x�8�6�)�\�M�i�c�r�o�s�o�f�t� �O�f�f�i�c�e�\�O�f�f�i�c�e�1�2�\�1�0�3�3�\�l�
C�:�\�P�r�o�g�r�a�m� �F�i�l�e�s� �(�x�8�6�)�\�M�i�c�r�o�s�o�f�t� �O�f�f�i�c�e�\�O�f�f�i�c�e�1�2�\�1�0�3�3�\�
C�:�\�U�s�e�r�s�\�A�d�m�i�n�i�s�t�r�a�t�o�r�\�D�e�s�k�t�o�p�\�f�p�_�1�8�.�0�.�0�.�2�0�3�_�a�r�c�h�i�v�e�.�z�i�p�
C�o�l�o�r�E�d�i�t�o�r�A�c�c�N�a�m�e�
C�o�l�o�r�E�d�i�t�o�r�P�a�l�e�t�t�e�T�a�b�
C�o�l�o�r�E�d�i�t�o�r�S�t�a�n�d�a�r�d�T�a�b�
C�o�l�o�r�E�d�i�t�o�r�S�y�s�t�e�m�T�a�b�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�A�c�c�N�a�m�e�#�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�C�e�n�t�e�r�A�c�c�N�a�m�e�5�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�L�e�f�t�A�c�c�N�a�m�e�D�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�R�i�g�h�t�A�c�c�N�a�m�e�Q�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�C�e�n�t�e�r�A�c�c�N�a�m�e�_�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�L�e�f�t�A�c�c�N�a�m�e�n�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�R�i�g�h�t�A�c�c�N�a�m�e�{�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�R�i�g�h�t�A�c�c�N�a�m�e�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�A�s�s�e�m�b�l�y�N�o�t�F�o�u�n�d�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�B�a�d�T�o�o�l�b�o�x�I�t�e�m�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�B�a�d�T�o�o�l�b�o�x�I�t�e�m�W�i�t�h�E�x�c�e�p�t�i�o�n�
b�i�t�m�a�p�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
i�c�o�n�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
i�m�a�g�e�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
m�e�t�a�f�i�l�e�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
D�e�f�i�n�e� �C�o�l�o�r�
M�S� �S�a�n�s� �S�e�r�i�f�
C�o�l�o�r�|�
S�&�o�l�i�d�
&�G�r�e�e�n�:�
B�l�&�u�e�:�
&�A�d�d� �C�o�l�o�r�
&�C�l�o�s�e�
9�"�E�$�E�a�
�!�$�"�%�$�(�
#�"�$�"�%�"�(�'�
S�y�s�t�e�m�.�D�r�a�w�i�n�g�.�D�e�s�i�g�n�.�S�R�
i�m�a�g�e�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
b�i�t�m�a�p�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
C�o�l�o�r�E�d�i�t�o�r�P�a�l�e�t�t�e�T�a�b�
C�o�l�o�r�E�d�i�t�o�r�S�t�a�n�d�a�r�d�T�a�b�
C�o�l�o�r�E�d�i�t�o�r�S�y�s�t�e�m�T�a�b�
C�o�l�o�r�E�d�i�t�o�r�A�c�c�N�a�m�e�
c�o�l�o�r�d�l�g�.�d�a�t�a�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�R�i�g�h�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�R�i�g�h�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�R�i�g�h�t�A�c�c�N�a�m�e�
d�e�s�i�g�n�e�r�
i�c�o�n�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
m�e�t�a�f�i�l�e�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
d�a�t�a�O�b�j�e�c�t�
t�o�o�l�T�y�p�e�
A�s�s�e�m�b�l�y� �E�n�u�m�e�r�a�t�i�o�n� �D�o�m�a�i�n�
c�o�n�t�a�i�n�e�r�
c�r�e�a�t�o�r�
f�o�r�m�a�t�
t�o�o�l�b�o�x�I�t�e�m�
c�a�t�e�g�o�r�y�
s�e�r�i�a�l�i�z�e�d�O�b�j�e�c�t�
f�i�l�t�e�r�A�t�t�r�i�b�u�t�e�s�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�A�s�s�e�m�b�l�y�N�o�t�F�o�u�n�d�
T�b�x�I�C�_�D�a�t�a�O�b�j�e�c�t�F�o�r�m�a�t�s�
T�b�x�I�C�_�D�a�t�a�O�b�j�e�c�t�V�a�l�u�e�s�
C�F�_�T�O�O�L�B�O�X�I�T�E�M�C�O�N�T�A�I�N�E�R�
C�F�_�T�O�O�L�B�O�X�I�T�E�M�C�O�N�T�A�I�N�E�R�_�H�A�S�H�
C�F�_�T�O�O�L�B�O�X�I�T�E�M�C�O�N�T�A�I�N�E�R�_�C�O�N�T�E�N�T�S�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�B�a�d�T�o�o�l�b�o�x�I�t�e�m�W�i�t�h�E�x�c�e�p�t�i�o�n�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�B�a�d�T�o�o�l�b�o�x�I�t�e�m�
A�s�s�e�m�b�l�y�N�a�m�e�
S�t�r�e�a�m�
i�m�a�g�e�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
C�o�l�o�r�E�d�i�t�o�r�S�y�s�t�e�m�T�a�b�
C�o�l�o�r�E�d�i�t�o�r�S�t�a�n�d�a�r�d�T�a�b�
b�i�t�m�a�p�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
C�o�l�o�r�E�d�i�t�o�r�P�a�l�e�t�t�e�T�a�b�
i�c�o�n�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
m�e�t�a�f�i�l�e�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�R�i�g�h�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�R�i�g�h�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�R�i�g�h�t�A�c�c�N�a�m�e�
C�o�l�o�r�E�d�i�t�o�r�A�c�c�N�a�m�e�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�B�a�d�T�o�o�l�b�o�x�I�t�e�m�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�B�a�d�T�o�o�l�b�o�x�I�t�e�m�W�i�t�h�E�x�c�e�p�t�i�o�n�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�A�s�s�e�m�b�l�y�N�o�t�F�o�u�n�d�
a�c�t�i�v�e�d�s�.�d�l�l�
a�d�v�a�p�i�3�2�.�d�l�l�
c�o�m�c�t�l�3�2�.�d�l�l�
c�o�m�d�l�g�3�2�.�d�l�l�
g�d�i�3�2�.�d�l�l�
g�d�i�p�l�u�s�.�d�l�l�
h�h�c�t�r�l�.�o�c�x�
i�m�m�3�2�.�d�l�l�
k�e�r�n�e�l�3�2�.�d�l�l�
L�o�a�d�p�e�r�f�.�d�l�l�
m�s�c�o�r�e�e�.�d�l�l�
m�s�c�o�r�w�k�s�.�d�l�l�
m�s�i�.�d�l�l�
m�q�r�t�.�d�l�l�
n�t�d�l�l�.�d�l�l�
o�l�e�3�2�.�d�l�l�
o�l�e�a�c�c�.�d�l�l�
o�l�e�a�u�t�3�2�.�d�l�l�
o�l�e�p�r�o�3�2�.�d�l�l�
p�e�r�f�c�o�u�n�t�e�r�.�d�l�l�
P�o�w�r�p�r�o�f�.�d�l�l�
p�s�a�p�i�.�d�l�l�
s�h�e�l�l�3�2�.�d�l�l�
s�h�f�o�l�d�e�r�.�d�l�l�
u�s�e�r�3�2�.�d�l�l�
u�x�t�h�e�m�e�.�d�l�l�
w�i�n�m�m�.�d�l�l�
w�i�n�s�p�o�o�l�.�d�r�v�
w�t�s�a�p�i�3�2�.�d�l�l�
v�e�r�s�i�o�n�.�d�l�l�
v�s�a�s�s�e�r�t�.�d�l�l�
s�h�l�w�a�p�i�.�d�l�l�
c�r�y�p�t�3�2�.�d�l�l�
o�d�b�c�3�2�.�d�l�l�
S�y�s�t�e�m�.�D�a�t�a�.�d�l�l�
o�c�i�.�d�l�l�
o�r�a�m�t�s�.�d�l�l�
C�F�_�T�O�O�L�B�O�X�I�T�E�M�C�O�N�T�A�I�N�E�R�
C�F�_�T�O�O�L�B�O�X�I�T�E�M�C�O�N�T�A�I�N�E�R�_�C�O�N�T�E�N�T�S�
C�F�_�T�O�O�L�B�O�X�I�T�E�M�C�O�N�T�A�I�N�E�R�_�H�A�S�H�
T�b�x�I�C�_�D�a�t�a�O�b�j�e�c�t�F�o�r�m�a�t�s�
T�b�x�I�C�_�D�a�t�a�O�b�j�e�c�t�V�a�l�u�e�s�
A�s�s�e�m�b�l�y�N�a�m�e�
S�t�r�e�a�m�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�4�0�9�0�4�B�0�
C�o�m�p�a�n�y�N�a�m�e�
M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
.�N�E�T� �F�r�a�m�e�w�o�r�k�
F�i�l�e�V�e�r�s�i�o�n�
2�.�0�.�5�0�7�2�7�.�1�4�3�3� �(�R�E�D�B�I�T�S�.�0�5�0�7�2�7�-�1�4�0�0�)�
I�n�t�e�r�n�a�l�N�a�m�e�
S�y�s�t�e�m�.�D�r�a�w�i�n�g�.�D�e�s�i�g�n�.�d�l�l�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
�M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�.� � �A�l�l� �r�i�g�h�t�s� �r�e�s�e�r�v�e�d�.�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
S�y�s�t�e�m�.�D�r�a�w�i�n�g�.�D�e�s�i�g�n�.�d�l�l�
P�r�o�d�u�c�t�N�a�m�e�
M�i�c�r�o�s�o�f�t�
�.�N�E�T� �F�r�a�m�e�w�o�r�k�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
2�.�0�.�5�0�7�2�7�.�1�4�3�3�
C�o�m�m�e�n�t�s�
F�l�a�v�o�r�=�R�e�t�a�i�l�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
S�o�f�t�w�a�r�e�\�M�i�c�r�o�s�o�f�t�\�V�i�s�u�a�l�S�t�u�d�i�o�\�7�.�0�
R�E�G�I�S�T�R�Y�
M�o�d�u�l�e�
M�O�D�U�L�E�_�D�I�R�
M�O�D�U�L�E�_�N�A�M�E�
R�E�G�R�O�O�T�E�N�D�
R�E�G�R�O�O�T�B�E�G�I�N�
S�A�P�P�_�O�B�J�E�C�T�
M�E�N�U�_�R�E�S�
M�E�N�U�_�P�K�G�_�G�U�I�D�
�N�o�R�e�m�o�v�e� �
R�E�G�I�S�T�R�Y�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�4�0�9�0�4�B�0�
C�o�m�p�a�n�y�N�a�m�e�
M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
V�i�s�u�a�l� �S�t�u�d�i�o� �E�n�v�i�r�o�n�m�e�n�t� �C�o�m�m�a�n�d� �d�e�f�i�n�i�t�i�o�n� �D�L�L�
F�i�l�e�V�e�r�s�i�o�n�
7�.�0�0�.�9�0�6�4�.�9�1�2�2�
I�n�t�e�r�n�a�l�N�a�m�e�
c�m�d�d�e�f�.�d�l�l�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
C�o�p�y�r�i�g�h�t� �(�C�)� �M�i�c�r�o�s�o�f�t� �C�o�r�p�.� �1�9�9�2�-�2�0�0�1�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
c�m�d�d�e�f�.�d�l�l�
P�r�o�d�u�c�t�N�a�m�e�
M�i�c�r�o�s�o�f�t� �D�e�v�e�l�o�p�m�e�n�t� �E�n�v�i�r�o�n�m�e�n�t�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
7�.�0�0�.�9�0�6�4�.�9�1�2�2�
0�0�0�0�0�4�e�4�
B�u�i�l�t� �b�y�
V�S�B�u�i�l�d�L�a�b�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
I�M�e�m�b�e�r�s�h�i�p�C�o�n�d�i�t�i�o�n�
7�.�0�.�5�0�0�0�.�0�
1�.�0�.�5�0�0�0�.�0�M�i�c�r�o�s�o�f�t�.�V�i�s�u�a�l�B�a�s�i�c�.�V�s�a�,� �V�e�r�s�i�o�n�=�7�.�0�.�5�0�0�0�.�0�,� �C�u�l�t�u�r�e�=�n�e�u�t�r�a�l�,� �P�u�b�l�i�c�K�e�y�T�o�k�e�n�=�b�0�3�f�5�f�7�f�1�1�d�5�0�a�3�a�M�i�c�r�o�s�o�f�t�.�J�S�c�r�i�p�t�,� �V�e�r�s�i�o�n�=�7�.�0�.�5�0�0�0�.�0�,� �C�u�l�t�u�r�e�=�n�e�u�t�r�a�l�,� �P�u�b�l�i�c�K�e�y�T�o�k�e�n�=�b�0�3�f�5�f�7�f�1�1�d�5�0�a�3�a�M�i�c�r�o�s�o�f�t�.�V�i�s�u�a�l�B�a�s�i�c�.�V�s�a�.�D�t�,� �V�e�r�s�i�o�n�=�7�.�0�.�5�0�0�0�.�0�,� �C�u�l�t�u�r�e�=�n�e�u�t�r�a�l�,� �P�u�b�l�i�c�K�e�y�T�o�k�e�n�=�b�0�3�f�5�f�7�f�1�1�d�5�0�a�3�a�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�0�0�0�0�4�b�0�
C�o�m�m�e�n�t�s�
C�u�s�t�o�m� �m�e�m�b�e�r�s�h�i�p� �c�o�n�d�i�t�i�o�n�
C�o�m�p�a�n�y�N�a�m�e�
M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
C�u�s�t�o�m� �m�e�m�b�e�r�s�h�i�p� �c�o�n�d�i�t�i�o�n�
F�i�l�e�V�e�r�s�i�o�n�
7�.�1�0�.�5�0�7�7�.�0�
I�n�t�e�r�n�a�l�N�a�m�e�
m�s�o�s�e�c�.�d�l�l�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
C�o�p�y�r�i�g�h�t�
�M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�.� � �A�l�l� �r�i�g�h�t�s� �r�e�s�e�r�v�e�d�.�
L�e�g�a�l�T�r�a�d�e�m�a�r�k�s�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
m�s�o�s�e�c�.�d�l�l�
P�r�o�d�u�c�t�N�a�m�e�
V�i�s�u�a�l� �S�t�u�d�i�o� �.�N�E�T� �T�o�o�l�s� �f�o�r� �O�f�f�i�c�e�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
7�.�1�0�.�5�0�7�7�.�0�
A�s�s�e�m�b�l�y� �V�e�r�s�i�o�n�
7�.�0�.�5�0�0�0�.�0�
P�r�o�g�r�a�m� �F�i�l�e�s�
N�e�t�T�i�m�e�
N�e�t�T�i�m�e�.�e�x�e�
0�.�.�\�.�.�\�.�.�\�.�.�\�.�.�\�P�r�o�g�r�a�m� �F�i�l�e�s�\�N�e�t�T�i�m�e�\�N�e�t�T�i�m�e�.�e�x�e�
C�:�\�P�r�o�g�r�a�m� �F�i�l�e�s�\�N�e�t�T�i�m�e�
&�'�(�)�+�,�.�0�3�
r�1�1�2�3�4�6�8�
B�B�C�D�E�G�I�
T�T�T�U�V�W�Y�
e�e�e�f�g�h�i�
v�v�v�w�x�y�z�
�#�&�(�*�*�*�
+�*�(�%�"� �
�#�&�(�*�+�+�
)�(�'�%�#�"� � � �!�"�$�&�'�)�)�)�
I�B�;�3�+�#�
^�_�a�b�d�f�i�l�o�s�x�
}�i�Y�H�7�%�
R�N�K�G�C�C�C�C�C�C�C�C�D�D�
}�s�h�^�T�I�?�>�>�=�=�9�4�0�+�'�"�
}�s�h�^�T�I�?�>�>�=�=�9�4�0�+�'�"�
|�i�V�E�4�%�
y� � �}�w�y�
{�s�j�b�Y�_�
w�n�f�]�U�L�R�
}�t�k�b�Y�P�H�?�E�
y�p�h�_�V�M�D�;�2�8�
n�e�[�R�I�@�7�.�%�+�
d�g�k�n�r�u�y�
}�o�a�U�K�B�:�5�1�/�/�1�
"�*�1�:�D�P�
"�)�2�;�D�N�W�`�i�r�v�
!�(�1�9�B�K�T�]�e�n�r�
�'�/�8�@�I�Q�Y�b�j�m�
�&�.�6�>�F�N�V�^�f�i�
%�-�4�<�D�K�S�Z�b�d�
$�+�3�:�B�I�P�W�^�`�
#�*�1�8�?�E�L�S�Z�\�\�
!�(�.�5�<�C�I�P�V�X�X�
�&�-�3�9�@�F�L�R�S�T�
�%�+�1�7�=�C�I�O�O�O�O�
#�4�D�T�e�w�
C�:�\�U�s�e�r�s�\�A�d�m�i�n�i�s�t�r�a�t�o�r�\�D�e�s�k�t�o�p�\�f�p�_�1�8�.�0�.�0�.�2�0�3�_�a�r�c�h�i�v�e�.�z�i�p�
C�o�l�o�r�E�d�i�t�o�r�A�c�c�N�a�m�e�
C�o�l�o�r�E�d�i�t�o�r�P�a�l�e�t�t�e�T�a�b�
C�o�l�o�r�E�d�i�t�o�r�S�t�a�n�d�a�r�d�T�a�b�
C�o�l�o�r�E�d�i�t�o�r�S�y�s�t�e�m�T�a�b�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�A�c�c�N�a�m�e�#�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�C�e�n�t�e�r�A�c�c�N�a�m�e�5�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�L�e�f�t�A�c�c�N�a�m�e�D�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�R�i�g�h�t�A�c�c�N�a�m�e�Q�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�C�e�n�t�e�r�A�c�c�N�a�m�e�_�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�L�e�f�t�A�c�c�N�a�m�e�n�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�R�i�g�h�t�A�c�c�N�a�m�e�{�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�R�i�g�h�t�A�c�c�N�a�m�e�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�A�s�s�e�m�b�l�y�N�o�t�F�o�u�n�d�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�B�a�d�T�o�o�l�b�o�x�I�t�e�m�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�B�a�d�T�o�o�l�b�o�x�I�t�e�m�W�i�t�h�E�x�c�e�p�t�i�o�n�
b�i�t�m�a�p�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
i�c�o�n�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
i�m�a�g�e�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
m�e�t�a�f�i�l�e�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
D�e�f�i�n�e� �C�o�l�o�r�
M�S� �S�a�n�s� �S�e�r�i�f�
C�o�l�o�r�|�
S�&�o�l�i�d�
&�G�r�e�e�n�:�
B�l�&�u�e�:�
&�A�d�d� �C�o�l�o�r�
&�C�l�o�s�e�
9�"�E�$�E�a�
�!�$�"�%�$�(�
#�"�$�"�%�"�(�'�
S�y�s�t�e�m�.�D�r�a�w�i�n�g�.�D�e�s�i�g�n�.�S�R�
i�m�a�g�e�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
b�i�t�m�a�p�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
C�o�l�o�r�E�d�i�t�o�r�P�a�l�e�t�t�e�T�a�b�
C�o�l�o�r�E�d�i�t�o�r�S�t�a�n�d�a�r�d�T�a�b�
C�o�l�o�r�E�d�i�t�o�r�S�y�s�t�e�m�T�a�b�
C�o�l�o�r�E�d�i�t�o�r�A�c�c�N�a�m�e�
c�o�l�o�r�d�l�g�.�d�a�t�a�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�R�i�g�h�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�R�i�g�h�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�R�i�g�h�t�A�c�c�N�a�m�e�
d�e�s�i�g�n�e�r�
i�c�o�n�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
m�e�t�a�f�i�l�e�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
d�a�t�a�O�b�j�e�c�t�
t�o�o�l�T�y�p�e�
A�s�s�e�m�b�l�y� �E�n�u�m�e�r�a�t�i�o�n� �D�o�m�a�i�n�
c�o�n�t�a�i�n�e�r�
c�r�e�a�t�o�r�
f�o�r�m�a�t�
t�o�o�l�b�o�x�I�t�e�m�
c�a�t�e�g�o�r�y�
s�e�r�i�a�l�i�z�e�d�O�b�j�e�c�t�
f�i�l�t�e�r�A�t�t�r�i�b�u�t�e�s�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�A�s�s�e�m�b�l�y�N�o�t�F�o�u�n�d�
T�b�x�I�C�_�D�a�t�a�O�b�j�e�c�t�F�o�r�m�a�t�s�
T�b�x�I�C�_�D�a�t�a�O�b�j�e�c�t�V�a�l�u�e�s�
C�F�_�T�O�O�L�B�O�X�I�T�E�M�C�O�N�T�A�I�N�E�R�
C�F�_�T�O�O�L�B�O�X�I�T�E�M�C�O�N�T�A�I�N�E�R�_�H�A�S�H�
C�F�_�T�O�O�L�B�O�X�I�T�E�M�C�O�N�T�A�I�N�E�R�_�C�O�N�T�E�N�T�S�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�B�a�d�T�o�o�l�b�o�x�I�t�e�m�W�i�t�h�E�x�c�e�p�t�i�o�n�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�B�a�d�T�o�o�l�b�o�x�I�t�e�m�
A�s�s�e�m�b�l�y�N�a�m�e�
S�t�r�e�a�m�
i�m�a�g�e�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
C�o�l�o�r�E�d�i�t�o�r�S�y�s�t�e�m�T�a�b�
C�o�l�o�r�E�d�i�t�o�r�S�t�a�n�d�a�r�d�T�a�b�
b�i�t�m�a�p�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
C�o�l�o�r�E�d�i�t�o�r�P�a�l�e�t�t�e�T�a�b�
i�c�o�n�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
m�e�t�a�f�i�l�e�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�R�i�g�h�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�R�i�g�h�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�R�i�g�h�t�A�c�c�N�a�m�e�
C�o�l�o�r�E�d�i�t�o�r�A�c�c�N�a�m�e�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�B�a�d�T�o�o�l�b�o�x�I�t�e�m�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�B�a�d�T�o�o�l�b�o�x�I�t�e�m�W�i�t�h�E�x�c�e�p�t�i�o�n�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�A�s�s�e�m�b�l�y�N�o�t�F�o�u�n�d�
a�c�t�i�v�e�d�s�.�d�l�l�
a�d�v�a�p�i�3�2�.�d�l�l�
c�o�m�c�t�l�3�2�.�d�l�l�
c�o�m�d�l�g�3�2�.�d�l�l�
g�d�i�3�2�.�d�l�l�
g�d�i�p�l�u�s�.�d�l�l�
h�h�c�t�r�l�.�o�c�x�
i�m�m�3�2�.�d�l�l�
k�e�r�n�e�l�3�2�.�d�l�l�
L�o�a�d�p�e�r�f�.�d�l�l�
m�s�c�o�r�e�e�.�d�l�l�
m�s�c�o�r�w�k�s�.�d�l�l�
m�s�i�.�d�l�l�
m�q�r�t�.�d�l�l�
n�t�d�l�l�.�d�l�l�
o�l�e�3�2�.�d�l�l�
o�l�e�a�c�c�.�d�l�l�
o�l�e�a�u�t�3�2�.�d�l�l�
o�l�e�p�r�o�3�2�.�d�l�l�
p�e�r�f�c�o�u�n�t�e�r�.�d�l�l�
P�o�w�r�p�r�o�f�.�d�l�l�
p�s�a�p�i�.�d�l�l�
s�h�e�l�l�3�2�.�d�l�l�
s�h�f�o�l�d�e�r�.�d�l�l�
u�s�e�r�3�2�.�d�l�l�
u�x�t�h�e�m�e�.�d�l�l�
w�i�n�m�m�.�d�l�l�
w�i�n�s�p�o�o�l�.�d�r�v�
w�t�s�a�p�i�3�2�.�d�l�l�
v�e�r�s�i�o�n�.�d�l�l�
v�s�a�s�s�e�r�t�.�d�l�l�
s�h�l�w�a�p�i�.�d�l�l�
c�r�y�p�t�3�2�.�d�l�l�
o�d�b�c�3�2�.�d�l�l�
S�y�s�t�e�m�.�D�a�t�a�.�d�l�l�
o�c�i�.�d�l�l�
o�r�a�m�t�s�.�d�l�l�
C�F�_�T�O�O�L�B�O�X�I�T�E�M�C�O�N�T�A�I�N�E�R�
C�F�_�T�O�O�L�B�O�X�I�T�E�M�C�O�N�T�A�I�N�E�R�_�C�O�N�T�E�N�T�S�
C�F�_�T�O�O�L�B�O�X�I�T�E�M�C�O�N�T�A�I�N�E�R�_�H�A�S�H�
T�b�x�I�C�_�D�a�t�a�O�b�j�e�c�t�F�o�r�m�a�t�s�
T�b�x�I�C�_�D�a�t�a�O�b�j�e�c�t�V�a�l�u�e�s�
A�s�s�e�m�b�l�y�N�a�m�e�
S�t�r�e�a�m�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�4�0�9�0�4�B�0�
C�o�m�p�a�n�y�N�a�m�e�
M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
.�N�E�T� �F�r�a�m�e�w�o�r�k�
F�i�l�e�V�e�r�s�i�o�n�
2�.�0�.�5�0�7�2�7�.�1�4�3�3� �(�R�E�D�B�I�T�S�.�0�5�0�7�2�7�-�1�4�0�0�)�
I�n�t�e�r�n�a�l�N�a�m�e�
S�y�s�t�e�m�.�D�r�a�w�i�n�g�.�D�e�s�i�g�n�.�d�l�l�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
�M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�.� � �A�l�l� �r�i�g�h�t�s� �r�e�s�e�r�v�e�d�.�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
S�y�s�t�e�m�.�D�r�a�w�i�n�g�.�D�e�s�i�g�n�.�d�l�l�
P�r�o�d�u�c�t�N�a�m�e�
M�i�c�r�o�s�o�f�t�
�.�N�E�T� �F�r�a�m�e�w�o�r�k�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
2�.�0�.�5�0�7�2�7�.�1�4�3�3�
C�o�m�m�e�n�t�s�
F�l�a�v�o�r�=�R�e�t�a�i�l�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
S�o�f�t�w�a�r�e�\�M�i�c�r�o�s�o�f�t�\�V�i�s�u�a�l�S�t�u�d�i�o�\�7�.�0�
R�E�G�I�S�T�R�Y�
M�o�d�u�l�e�
M�O�D�U�L�E�_�D�I�R�
M�O�D�U�L�E�_�N�A�M�E�
R�E�G�R�O�O�T�E�N�D�
R�E�G�R�O�O�T�B�E�G�I�N�
S�A�P�P�_�O�B�J�E�C�T�
M�E�N�U�_�R�E�S�
M�E�N�U�_�P�K�G�_�G�U�I�D�
�N�o�R�e�m�o�v�e� �
R�E�G�I�S�T�R�Y�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�4�0�9�0�4�B�0�
C�o�m�p�a�n�y�N�a�m�e�
M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
V�i�s�u�a�l� �S�t�u�d�i�o� �E�n�v�i�r�o�n�m�e�n�t� �C�o�m�m�a�n�d� �d�e�f�i�n�i�t�i�o�n� �D�L�L�
F�i�l�e�V�e�r�s�i�o�n�
7�.�0�0�.�9�0�6�4�.�9�1�2�2�
I�n�t�e�r�n�a�l�N�a�m�e�
c�m�d�d�e�f�.�d�l�l�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
C�o�p�y�r�i�g�h�t� �(�C�)� �M�i�c�r�o�s�o�f�t� �C�o�r�p�.� �1�9�9�2�-�2�0�0�1�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
c�m�d�d�e�f�.�d�l�l�
P�r�o�d�u�c�t�N�a�m�e�
M�i�c�r�o�s�o�f�t� �D�e�v�e�l�o�p�m�e�n�t� �E�n�v�i�r�o�n�m�e�n�t�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
7�.�0�0�.�9�0�6�4�.�9�1�2�2�
0�0�0�0�0�4�e�4�
B�u�i�l�t� �b�y�
V�S�B�u�i�l�d�L�a�b�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
I�M�e�m�b�e�r�s�h�i�p�C�o�n�d�i�t�i�o�n�
7�.�0�.�5�0�0�0�.�0�
1�.�0�.�5�0�0�0�.�0�M�i�c�r�o�s�o�f�t�.�V�i�s�u�a�l�B�a�s�i�c�.�V�s�a�,� �V�e�r�s�i�o�n�=�7�.�0�.�5�0�0�0�.�0�,� �C�u�l�t�u�r�e�=�n�e�u�t�r�a�l�,� �P�u�b�l�i�c�K�e�y�T�o�k�e�n�=�b�0�3�f�5�f�7�f�1�1�d�5�0�a�3�a�M�i�c�r�o�s�o�f�t�.�J�S�c�r�i�p�t�,� �V�e�r�s�i�o�n�=�7�.�0�.�5�0�0�0�.�0�,� �C�u�l�t�u�r�e�=�n�e�u�t�r�a�l�,� �P�u�b�l�i�c�K�e�y�T�o�k�e�n�=�b�0�3�f�5�f�7�f�1�1�d�5�0�a�3�a�M�i�c�r�o�s�o�f�t�.�V�i�s�u�a�l�B�a�s�i�c�.�V�s�a�.�D�t�,� �V�e�r�s�i�o�n�=�7�.�0�.�5�0�0�0�.�0�,� �C�u�l�t�u�r�e�=�n�e�u�t�r�a�l�,� �P�u�b�l�i�c�K�e�y�T�o�k�e�n�=�b�0�3�f�5�f�7�f�1�1�d�5�0�a�3�a�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�0�0�0�0�4�b�0�
C�o�m�m�e�n�t�s�
C�u�s�t�o�m� �m�e�m�b�e�r�s�h�i�p� �c�o�n�d�i�t�i�o�n�
C�o�m�p�a�n�y�N�a�m�e�
M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
C�u�s�t�o�m� �m�e�m�b�e�r�s�h�i�p� �c�o�n�d�i�t�i�o�n�
F�i�l�e�V�e�r�s�i�o�n�
7�.�1�0�.�5�0�7�7�.�0�
I�n�t�e�r�n�a�l�N�a�m�e�
m�s�o�s�e�c�.�d�l�l�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
C�o�p�y�r�i�g�h�t�
�M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�.� � �A�l�l� �r�i�g�h�t�s� �r�e�s�e�r�v�e�d�.�
L�e�g�a�l�T�r�a�d�e�m�a�r�k�s�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
m�s�o�s�e�c�.�d�l�l�
P�r�o�d�u�c�t�N�a�m�e�
V�i�s�u�a�l� �S�t�u�d�i�o� �.�N�E�T� �T�o�o�l�s� �f�o�r� �O�f�f�i�c�e�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
7�.�1�0�.�5�0�7�7�.�0�
A�s�s�e�m�b�l�y� �V�e�r�s�i�o�n�
7�.�0�.�5�0�0�0�.�0�
P�r�o�g�r�a�m� �F�i�l�e�s�
N�e�t�T�i�m�e�
N�e�t�T�i�m�e�.�e�x�e�
0�.�.�\�.�.�\�.�.�\�.�.�\�.�.�\�P�r�o�g�r�a�m� �F�i�l�e�s�\�N�e�t�T�i�m�e�\�N�e�t�T�i�m�e�.�e�x�e�
C�:�\�P�r�o�g�r�a�m� �F�i�l�e�s�\�N�e�t�T�i�m�e�
&�'�(�)�+�,�.�0�3�
r�1�1�2�3�4�6�8�
B�B�C�D�E�G�I�
T�T�T�U�V�W�Y�
e�e�e�f�g�h�i�
v�v�v�w�x�y�z�
�#�&�(�*�*�*�
+�*�(�%�"� �
�#�&�(�*�+�+�
)�(�'�%�#�"� � � �!�"�$�&�'�)�)�)�
I�B�;�3�+�#�
^�_�a�b�d�f�i�l�o�s�x�
}�i�Y�H�7�%�
R�N�K�G�C�C�C�C�C�C�C�C�D�D�
}�s�h�^�T�I�?�>�>�=�=�9�4�0�+�'�"�
}�s�h�^�T�I�?�>�>�=�=�9�4�0�+�'�"�
|�i�V�E�4�%�
y� � �}�w�y�
{�s�j�b�Y�_�
w�n�f�]�U�L�R�
}�t�k�b�Y�P�H�?�E�
y�p�h�_�V�M�D�;�2�8�
n�e�[�R�I�@�7�.�%�+�
d�g�k�n�r�u�y�
}�o�a�U�K�B�:�5�1�/�/�1�
"�*�1�:�D�P�
"�)�2�;�D�N�W�`�i�r�v�
!�(�1�9�B�K�T�]�e�n�r�
�'�/�8�@�I�Q�Y�b�j�m�
�&�.�6�>�F�N�V�^�f�i�
%�-�4�<�D�K�S�Z�b�d�
$�+�3�:�B�I�P�W�^�`�
#�*�1�8�?�E�L�S�Z�\�\�
!�(�.�5�<�C�I�P�V�X�X�
�&�-�3�9�@�F�L�R�S�T�
�%�+�1�7�=�C�I�O�O�O�O�
#�4�D�T�e�w�
M�S�E�.�H�X�S�
M�S�E�.�H�X�S�
C�:�\�P�r�o�g�r�a�m� �F�i�l�e�s� �(�x�8�6�)�\�M�i�c�r�o�s�o�f�t� �O�f�f�i�c�e�\�O�f�f�i�c�e�1�2�\�1�0�3�3�\�l�
C�:�\�P�r�o�g�r�a�m� �F�i�l�e�s� �(�x�8�6�)�\�M�i�c�r�o�s�o�f�t� �O�f�f�i�c�e�\�O�f�f�i�c�e�1�2�\�1�0�3�3�\�
C�:�\�U�s�e�r�s�\�A�d�m�i�n�i�s�t�r�a�t�o�r�\�D�e�s�k�t�o�p�\�f�p�_�1�8�.�0�.�0�.�2�0�3�_�a�r�c�h�i�v�e�.�z�i�p�
C�o�l�o�r�E�d�i�t�o�r�A�c�c�N�a�m�e�
C�o�l�o�r�E�d�i�t�o�r�P�a�l�e�t�t�e�T�a�b�
C�o�l�o�r�E�d�i�t�o�r�S�t�a�n�d�a�r�d�T�a�b�
C�o�l�o�r�E�d�i�t�o�r�S�y�s�t�e�m�T�a�b�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�A�c�c�N�a�m�e�#�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�C�e�n�t�e�r�A�c�c�N�a�m�e�5�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�L�e�f�t�A�c�c�N�a�m�e�D�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�R�i�g�h�t�A�c�c�N�a�m�e�Q�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�C�e�n�t�e�r�A�c�c�N�a�m�e�_�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�L�e�f�t�A�c�c�N�a�m�e�n�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�R�i�g�h�t�A�c�c�N�a�m�e�{�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�R�i�g�h�t�A�c�c�N�a�m�e�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�A�s�s�e�m�b�l�y�N�o�t�F�o�u�n�d�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�B�a�d�T�o�o�l�b�o�x�I�t�e�m�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�B�a�d�T�o�o�l�b�o�x�I�t�e�m�W�i�t�h�E�x�c�e�p�t�i�o�n�
b�i�t�m�a�p�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
i�c�o�n�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
i�m�a�g�e�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
m�e�t�a�f�i�l�e�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
D�e�f�i�n�e� �C�o�l�o�r�
M�S� �S�a�n�s� �S�e�r�i�f�
C�o�l�o�r�|�
S�&�o�l�i�d�
&�G�r�e�e�n�:�
B�l�&�u�e�:�
&�A�d�d� �C�o�l�o�r�
&�C�l�o�s�e�
9�"�E�$�E�a�
�!�$�"�%�$�(�
#�"�$�"�%�"�(�'�
S�y�s�t�e�m�.�D�r�a�w�i�n�g�.�D�e�s�i�g�n�.�S�R�
i�m�a�g�e�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
b�i�t�m�a�p�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
C�o�l�o�r�E�d�i�t�o�r�P�a�l�e�t�t�e�T�a�b�
C�o�l�o�r�E�d�i�t�o�r�S�t�a�n�d�a�r�d�T�a�b�
C�o�l�o�r�E�d�i�t�o�r�S�y�s�t�e�m�T�a�b�
C�o�l�o�r�E�d�i�t�o�r�A�c�c�N�a�m�e�
c�o�l�o�r�d�l�g�.�d�a�t�a�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�R�i�g�h�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�R�i�g�h�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�R�i�g�h�t�A�c�c�N�a�m�e�
d�e�s�i�g�n�e�r�
i�c�o�n�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
m�e�t�a�f�i�l�e�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
d�a�t�a�O�b�j�e�c�t�
t�o�o�l�T�y�p�e�
A�s�s�e�m�b�l�y� �E�n�u�m�e�r�a�t�i�o�n� �D�o�m�a�i�n�
c�o�n�t�a�i�n�e�r�
c�r�e�a�t�o�r�
f�o�r�m�a�t�
t�o�o�l�b�o�x�I�t�e�m�
c�a�t�e�g�o�r�y�
s�e�r�i�a�l�i�z�e�d�O�b�j�e�c�t�
f�i�l�t�e�r�A�t�t�r�i�b�u�t�e�s�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�A�s�s�e�m�b�l�y�N�o�t�F�o�u�n�d�
T�b�x�I�C�_�D�a�t�a�O�b�j�e�c�t�F�o�r�m�a�t�s�
T�b�x�I�C�_�D�a�t�a�O�b�j�e�c�t�V�a�l�u�e�s�
C�F�_�T�O�O�L�B�O�X�I�T�E�M�C�O�N�T�A�I�N�E�R�
C�F�_�T�O�O�L�B�O�X�I�T�E�M�C�O�N�T�A�I�N�E�R�_�H�A�S�H�
C�F�_�T�O�O�L�B�O�X�I�T�E�M�C�O�N�T�A�I�N�E�R�_�C�O�N�T�E�N�T�S�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�B�a�d�T�o�o�l�b�o�x�I�t�e�m�W�i�t�h�E�x�c�e�p�t�i�o�n�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�B�a�d�T�o�o�l�b�o�x�I�t�e�m�
A�s�s�e�m�b�l�y�N�a�m�e�
S�t�r�e�a�m�
i�m�a�g�e�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
C�o�l�o�r�E�d�i�t�o�r�S�y�s�t�e�m�T�a�b�
C�o�l�o�r�E�d�i�t�o�r�S�t�a�n�d�a�r�d�T�a�b�
b�i�t�m�a�p�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
C�o�l�o�r�E�d�i�t�o�r�P�a�l�e�t�t�e�T�a�b�
i�c�o�n�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
m�e�t�a�f�i�l�e�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�R�i�g�h�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�R�i�g�h�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�R�i�g�h�t�A�c�c�N�a�m�e�
C�o�l�o�r�E�d�i�t�o�r�A�c�c�N�a�m�e�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�B�a�d�T�o�o�l�b�o�x�I�t�e�m�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�B�a�d�T�o�o�l�b�o�x�I�t�e�m�W�i�t�h�E�x�c�e�p�t�i�o�n�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�A�s�s�e�m�b�l�y�N�o�t�F�o�u�n�d�
a�c�t�i�v�e�d�s�.�d�l�l�
a�d�v�a�p�i�3�2�.�d�l�l�
c�o�m�c�t�l�3�2�.�d�l�l�
c�o�m�d�l�g�3�2�.�d�l�l�
g�d�i�3�2�.�d�l�l�
g�d�i�p�l�u�s�.�d�l�l�
h�h�c�t�r�l�.�o�c�x�
i�m�m�3�2�.�d�l�l�
k�e�r�n�e�l�3�2�.�d�l�l�
L�o�a�d�p�e�r�f�.�d�l�l�
m�s�c�o�r�e�e�.�d�l�l�
m�s�c�o�r�w�k�s�.�d�l�l�
m�s�i�.�d�l�l�
m�q�r�t�.�d�l�l�
n�t�d�l�l�.�d�l�l�
o�l�e�3�2�.�d�l�l�
o�l�e�a�c�c�.�d�l�l�
o�l�e�a�u�t�3�2�.�d�l�l�
o�l�e�p�r�o�3�2�.�d�l�l�
p�e�r�f�c�o�u�n�t�e�r�.�d�l�l�
P�o�w�r�p�r�o�f�.�d�l�l�
p�s�a�p�i�.�d�l�l�
s�h�e�l�l�3�2�.�d�l�l�
s�h�f�o�l�d�e�r�.�d�l�l�
u�s�e�r�3�2�.�d�l�l�
u�x�t�h�e�m�e�.�d�l�l�
w�i�n�m�m�.�d�l�l�
w�i�n�s�p�o�o�l�.�d�r�v�
w�t�s�a�p�i�3�2�.�d�l�l�
v�e�r�s�i�o�n�.�d�l�l�
v�s�a�s�s�e�r�t�.�d�l�l�
s�h�l�w�a�p�i�.�d�l�l�
c�r�y�p�t�3�2�.�d�l�l�
o�d�b�c�3�2�.�d�l�l�
S�y�s�t�e�m�.�D�a�t�a�.�d�l�l�
o�c�i�.�d�l�l�
o�r�a�m�t�s�.�d�l�l�
C�F�_�T�O�O�L�B�O�X�I�T�E�M�C�O�N�T�A�I�N�E�R�
C�F�_�T�O�O�L�B�O�X�I�T�E�M�C�O�N�T�A�I�N�E�R�_�C�O�N�T�E�N�T�S�
C�F�_�T�O�O�L�B�O�X�I�T�E�M�C�O�N�T�A�I�N�E�R�_�H�A�S�H�
T�b�x�I�C�_�D�a�t�a�O�b�j�e�c�t�F�o�r�m�a�t�s�
T�b�x�I�C�_�D�a�t�a�O�b�j�e�c�t�V�a�l�u�e�s�
A�s�s�e�m�b�l�y�N�a�m�e�
S�t�r�e�a�m�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�4�0�9�0�4�B�0�
C�o�m�p�a�n�y�N�a�m�e�
M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
.�N�E�T� �F�r�a�m�e�w�o�r�k�
F�i�l�e�V�e�r�s�i�o�n�
2�.�0�.�5�0�7�2�7�.�1�4�3�3� �(�R�E�D�B�I�T�S�.�0�5�0�7�2�7�-�1�4�0�0�)�
I�n�t�e�r�n�a�l�N�a�m�e�
S�y�s�t�e�m�.�D�r�a�w�i�n�g�.�D�e�s�i�g�n�.�d�l�l�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
�M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�.� � �A�l�l� �r�i�g�h�t�s� �r�e�s�e�r�v�e�d�.�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
S�y�s�t�e�m�.�D�r�a�w�i�n�g�.�D�e�s�i�g�n�.�d�l�l�
P�r�o�d�u�c�t�N�a�m�e�
M�i�c�r�o�s�o�f�t�
�.�N�E�T� �F�r�a�m�e�w�o�r�k�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
2�.�0�.�5�0�7�2�7�.�1�4�3�3�
C�o�m�m�e�n�t�s�
F�l�a�v�o�r�=�R�e�t�a�i�l�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
S�o�f�t�w�a�r�e�\�M�i�c�r�o�s�o�f�t�\�V�i�s�u�a�l�S�t�u�d�i�o�\�7�.�0�
R�E�G�I�S�T�R�Y�
M�o�d�u�l�e�
M�O�D�U�L�E�_�D�I�R�
M�O�D�U�L�E�_�N�A�M�E�
R�E�G�R�O�O�T�E�N�D�
R�E�G�R�O�O�T�B�E�G�I�N�
S�A�P�P�_�O�B�J�E�C�T�
M�E�N�U�_�R�E�S�
M�E�N�U�_�P�K�G�_�G�U�I�D�
�N�o�R�e�m�o�v�e� �
R�E�G�I�S�T�R�Y�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�4�0�9�0�4�B�0�
C�o�m�p�a�n�y�N�a�m�e�
M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
V�i�s�u�a�l� �S�t�u�d�i�o� �E�n�v�i�r�o�n�m�e�n�t� �C�o�m�m�a�n�d� �d�e�f�i�n�i�t�i�o�n� �D�L�L�
F�i�l�e�V�e�r�s�i�o�n�
7�.�0�0�.�9�0�6�4�.�9�1�2�2�
I�n�t�e�r�n�a�l�N�a�m�e�
c�m�d�d�e�f�.�d�l�l�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
C�o�p�y�r�i�g�h�t� �(�C�)� �M�i�c�r�o�s�o�f�t� �C�o�r�p�.� �1�9�9�2�-�2�0�0�1�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
c�m�d�d�e�f�.�d�l�l�
P�r�o�d�u�c�t�N�a�m�e�
M�i�c�r�o�s�o�f�t� �D�e�v�e�l�o�p�m�e�n�t� �E�n�v�i�r�o�n�m�e�n�t�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
7�.�0�0�.�9�0�6�4�.�9�1�2�2�
0�0�0�0�0�4�e�4�
B�u�i�l�t� �b�y�
V�S�B�u�i�l�d�L�a�b�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
I�M�e�m�b�e�r�s�h�i�p�C�o�n�d�i�t�i�o�n�
7�.�0�.�5�0�0�0�.�0�
1�.�0�.�5�0�0�0�.�0�M�i�c�r�o�s�o�f�t�.�V�i�s�u�a�l�B�a�s�i�c�.�V�s�a�,� �V�e�r�s�i�o�n�=�7�.�0�.�5�0�0�0�.�0�,� �C�u�l�t�u�r�e�=�n�e�u�t�r�a�l�,� �P�u�b�l�i�c�K�e�y�T�o�k�e�n�=�b�0�3�f�5�f�7�f�1�1�d�5�0�a�3�a�M�i�c�r�o�s�o�f�t�.�J�S�c�r�i�p�t�,� �V�e�r�s�i�o�n�=�7�.�0�.�5�0�0�0�.�0�,� �C�u�l�t�u�r�e�=�n�e�u�t�r�a�l�,� �P�u�b�l�i�c�K�e�y�T�o�k�e�n�=�b�0�3�f�5�f�7�f�1�1�d�5�0�a�3�a�M�i�c�r�o�s�o�f�t�.�V�i�s�u�a�l�B�a�s�i�c�.�V�s�a�.�D�t�,� �V�e�r�s�i�o�n�=�7�.�0�.�5�0�0�0�.�0�,� �C�u�l�t�u�r�e�=�n�e�u�t�r�a�l�,� �P�u�b�l�i�c�K�e�y�T�o�k�e�n�=�b�0�3�f�5�f�7�f�1�1�d�5�0�a�3�a�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�0�0�0�0�4�b�0�
C�o�m�m�e�n�t�s�
C�u�s�t�o�m� �m�e�m�b�e�r�s�h�i�p� �c�o�n�d�i�t�i�o�n�
C�o�m�p�a�n�y�N�a�m�e�
M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
C�u�s�t�o�m� �m�e�m�b�e�r�s�h�i�p� �c�o�n�d�i�t�i�o�n�
F�i�l�e�V�e�r�s�i�o�n�
7�.�1�0�.�5�0�7�7�.�0�
I�n�t�e�r�n�a�l�N�a�m�e�
m�s�o�s�e�c�.�d�l�l�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
C�o�p�y�r�i�g�h�t�
�M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�.� � �A�l�l� �r�i�g�h�t�s� �r�e�s�e�r�v�e�d�.�
L�e�g�a�l�T�r�a�d�e�m�a�r�k�s�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
m�s�o�s�e�c�.�d�l�l�
P�r�o�d�u�c�t�N�a�m�e�
V�i�s�u�a�l� �S�t�u�d�i�o� �.�N�E�T� �T�o�o�l�s� �f�o�r� �O�f�f�i�c�e�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
7�.�1�0�.�5�0�7�7�.�0�
A�s�s�e�m�b�l�y� �V�e�r�s�i�o�n�
7�.�0�.�5�0�0�0�.�0�
P�r�o�g�r�a�m� �F�i�l�e�s�
N�e�t�T�i�m�e�
N�e�t�T�i�m�e�.�e�x�e�
0�.�.�\�.�.�\�.�.�\�.�.�\�.�.�\�P�r�o�g�r�a�m� �F�i�l�e�s�\�N�e�t�T�i�m�e�\�N�e�t�T�i�m�e�.�e�x�e�
C�:�\�P�r�o�g�r�a�m� �F�i�l�e�s�\�N�e�t�T�i�m�e�
&�'�(�)�+�,�.�0�3�
r�1�1�2�3�4�6�8�
B�B�C�D�E�G�I�
T�T�T�U�V�W�Y�
e�e�e�f�g�h�i�
v�v�v�w�x�y�z�
�#�&�(�*�*�*�
+�*�(�%�"� �
�#�&�(�*�+�+�
)�(�'�%�#�"� � � �!�"�$�&�'�)�)�)�
I�B�;�3�+�#�
^�_�a�b�d�f�i�l�o�s�x�
}�i�Y�H�7�%�
R�N�K�G�C�C�C�C�C�C�C�C�D�D�
}�s�h�^�T�I�?�>�>�=�=�9�4�0�+�'�"�
}�s�h�^�T�I�?�>�>�=�=�9�4�0�+�'�"�
|�i�V�E�4�%�
y� � �}�w�y�
{�s�j�b�Y�_�
w�n�f�]�U�L�R�
}�t�k�b�Y�P�H�?�E�
y�p�h�_�V�M�D�;�2�8�
n�e�[�R�I�@�7�.�%�+�
d�g�k�n�r�u�y�
}�o�a�U�K�B�:�5�1�/�/�1�
"�*�1�:�D�P�
"�)�2�;�D�N�W�`�i�r�v�
!�(�1�9�B�K�T�]�e�n�r�
�'�/�8�@�I�Q�Y�b�j�m�
�&�.�6�>�F�N�V�^�f�i�
%�-�4�<�D�K�S�Z�b�d�
$�+�3�:�B�I�P�W�^�`�
#�*�1�8�?�E�L�S�Z�\�\�
!�(�.�5�<�C�I�P�V�X�X�
�&�-�3�9�@�F�L�R�S�T�
�%�+�1�7�=�C�I�O�O�O�O�
#�4�D�T�e�w�
C�:�\�U�s�e�r�s�\�A�d�m�i�n�i�s�t�r�a�t�o�r�\�D�e�s�k�t�o�p�\�f�p�_�1�8�.�0�.�0�.�2�0�3�_�a�r�c�h�i�v�e�.�z�i�p�
C�o�l�o�r�E�d�i�t�o�r�A�c�c�N�a�m�e�
C�o�l�o�r�E�d�i�t�o�r�P�a�l�e�t�t�e�T�a�b�
C�o�l�o�r�E�d�i�t�o�r�S�t�a�n�d�a�r�d�T�a�b�
C�o�l�o�r�E�d�i�t�o�r�S�y�s�t�e�m�T�a�b�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�A�c�c�N�a�m�e�#�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�C�e�n�t�e�r�A�c�c�N�a�m�e�5�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�L�e�f�t�A�c�c�N�a�m�e�D�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�R�i�g�h�t�A�c�c�N�a�m�e�Q�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�C�e�n�t�e�r�A�c�c�N�a�m�e�_�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�L�e�f�t�A�c�c�N�a�m�e�n�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�R�i�g�h�t�A�c�c�N�a�m�e�{�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�R�i�g�h�t�A�c�c�N�a�m�e�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�A�s�s�e�m�b�l�y�N�o�t�F�o�u�n�d�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�B�a�d�T�o�o�l�b�o�x�I�t�e�m�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�B�a�d�T�o�o�l�b�o�x�I�t�e�m�W�i�t�h�E�x�c�e�p�t�i�o�n�
b�i�t�m�a�p�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
i�c�o�n�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
i�m�a�g�e�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
m�e�t�a�f�i�l�e�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
D�e�f�i�n�e� �C�o�l�o�r�
M�S� �S�a�n�s� �S�e�r�i�f�
C�o�l�o�r�|�
S�&�o�l�i�d�
&�G�r�e�e�n�:�
B�l�&�u�e�:�
&�A�d�d� �C�o�l�o�r�
&�C�l�o�s�e�
9�"�E�$�E�a�
�!�$�"�%�$�(�
#�"�$�"�%�"�(�'�
S�y�s�t�e�m�.�D�r�a�w�i�n�g�.�D�e�s�i�g�n�.�S�R�
i�m�a�g�e�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
b�i�t�m�a�p�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
C�o�l�o�r�E�d�i�t�o�r�P�a�l�e�t�t�e�T�a�b�
C�o�l�o�r�E�d�i�t�o�r�S�t�a�n�d�a�r�d�T�a�b�
C�o�l�o�r�E�d�i�t�o�r�S�y�s�t�e�m�T�a�b�
C�o�l�o�r�E�d�i�t�o�r�A�c�c�N�a�m�e�
c�o�l�o�r�d�l�g�.�d�a�t�a�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�R�i�g�h�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�R�i�g�h�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�R�i�g�h�t�A�c�c�N�a�m�e�
d�e�s�i�g�n�e�r�
i�c�o�n�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
m�e�t�a�f�i�l�e�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
d�a�t�a�O�b�j�e�c�t�
t�o�o�l�T�y�p�e�
A�s�s�e�m�b�l�y� �E�n�u�m�e�r�a�t�i�o�n� �D�o�m�a�i�n�
c�o�n�t�a�i�n�e�r�
c�r�e�a�t�o�r�
f�o�r�m�a�t�
t�o�o�l�b�o�x�I�t�e�m�
c�a�t�e�g�o�r�y�
s�e�r�i�a�l�i�z�e�d�O�b�j�e�c�t�
f�i�l�t�e�r�A�t�t�r�i�b�u�t�e�s�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�A�s�s�e�m�b�l�y�N�o�t�F�o�u�n�d�
T�b�x�I�C�_�D�a�t�a�O�b�j�e�c�t�F�o�r�m�a�t�s�
T�b�x�I�C�_�D�a�t�a�O�b�j�e�c�t�V�a�l�u�e�s�
C�F�_�T�O�O�L�B�O�X�I�T�E�M�C�O�N�T�A�I�N�E�R�
C�F�_�T�O�O�L�B�O�X�I�T�E�M�C�O�N�T�A�I�N�E�R�_�H�A�S�H�
C�F�_�T�O�O�L�B�O�X�I�T�E�M�C�O�N�T�A�I�N�E�R�_�C�O�N�T�E�N�T�S�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�B�a�d�T�o�o�l�b�o�x�I�t�e�m�W�i�t�h�E�x�c�e�p�t�i�o�n�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�B�a�d�T�o�o�l�b�o�x�I�t�e�m�
A�s�s�e�m�b�l�y�N�a�m�e�
S�t�r�e�a�m�
i�m�a�g�e�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
C�o�l�o�r�E�d�i�t�o�r�S�y�s�t�e�m�T�a�b�
C�o�l�o�r�E�d�i�t�o�r�S�t�a�n�d�a�r�d�T�a�b�
b�i�t�m�a�p�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
C�o�l�o�r�E�d�i�t�o�r�P�a�l�e�t�t�e�T�a�b�
i�c�o�n�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
m�e�t�a�f�i�l�e�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�R�i�g�h�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�R�i�g�h�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�R�i�g�h�t�A�c�c�N�a�m�e�
C�o�l�o�r�E�d�i�t�o�r�A�c�c�N�a�m�e�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�B�a�d�T�o�o�l�b�o�x�I�t�e�m�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�B�a�d�T�o�o�l�b�o�x�I�t�e�m�W�i�t�h�E�x�c�e�p�t�i�o�n�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�A�s�s�e�m�b�l�y�N�o�t�F�o�u�n�d�
a�c�t�i�v�e�d�s�.�d�l�l�
a�d�v�a�p�i�3�2�.�d�l�l�
c�o�m�c�t�l�3�2�.�d�l�l�
c�o�m�d�l�g�3�2�.�d�l�l�
g�d�i�3�2�.�d�l�l�
g�d�i�p�l�u�s�.�d�l�l�
h�h�c�t�r�l�.�o�c�x�
i�m�m�3�2�.�d�l�l�
k�e�r�n�e�l�3�2�.�d�l�l�
L�o�a�d�p�e�r�f�.�d�l�l�
m�s�c�o�r�e�e�.�d�l�l�
m�s�c�o�r�w�k�s�.�d�l�l�
m�s�i�.�d�l�l�
m�q�r�t�.�d�l�l�
n�t�d�l�l�.�d�l�l�
o�l�e�3�2�.�d�l�l�
o�l�e�a�c�c�.�d�l�l�
o�l�e�a�u�t�3�2�.�d�l�l�
o�l�e�p�r�o�3�2�.�d�l�l�
p�e�r�f�c�o�u�n�t�e�r�.�d�l�l�
P�o�w�r�p�r�o�f�.�d�l�l�
p�s�a�p�i�.�d�l�l�
s�h�e�l�l�3�2�.�d�l�l�
s�h�f�o�l�d�e�r�.�d�l�l�
u�s�e�r�3�2�.�d�l�l�
u�x�t�h�e�m�e�.�d�l�l�
w�i�n�m�m�.�d�l�l�
w�i�n�s�p�o�o�l�.�d�r�v�
w�t�s�a�p�i�3�2�.�d�l�l�
v�e�r�s�i�o�n�.�d�l�l�
v�s�a�s�s�e�r�t�.�d�l�l�
s�h�l�w�a�p�i�.�d�l�l�
c�r�y�p�t�3�2�.�d�l�l�
o�d�b�c�3�2�.�d�l�l�
S�y�s�t�e�m�.�D�a�t�a�.�d�l�l�
o�c�i�.�d�l�l�
o�r�a�m�t�s�.�d�l�l�
C�F�_�T�O�O�L�B�O�X�I�T�E�M�C�O�N�T�A�I�N�E�R�
C�F�_�T�O�O�L�B�O�X�I�T�E�M�C�O�N�T�A�I�N�E�R�_�C�O�N�T�E�N�T�S�
C�F�_�T�O�O�L�B�O�X�I�T�E�M�C�O�N�T�A�I�N�E�R�_�H�A�S�H�
T�b�x�I�C�_�D�a�t�a�O�b�j�e�c�t�F�o�r�m�a�t�s�
T�b�x�I�C�_�D�a�t�a�O�b�j�e�c�t�V�a�l�u�e�s�
A�s�s�e�m�b�l�y�N�a�m�e�
S�t�r�e�a�m�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�4�0�9�0�4�B�0�
C�o�m�p�a�n�y�N�a�m�e�
M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
.�N�E�T� �F�r�a�m�e�w�o�r�k�
F�i�l�e�V�e�r�s�i�o�n�
2�.�0�.�5�0�7�2�7�.�1�4�3�3� �(�R�E�D�B�I�T�S�.�0�5�0�7�2�7�-�1�4�0�0�)�
I�n�t�e�r�n�a�l�N�a�m�e�
S�y�s�t�e�m�.�D�r�a�w�i�n�g�.�D�e�s�i�g�n�.�d�l�l�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
�M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�.� � �A�l�l� �r�i�g�h�t�s� �r�e�s�e�r�v�e�d�.�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
S�y�s�t�e�m�.�D�r�a�w�i�n�g�.�D�e�s�i�g�n�.�d�l�l�
P�r�o�d�u�c�t�N�a�m�e�
M�i�c�r�o�s�o�f�t�
�.�N�E�T� �F�r�a�m�e�w�o�r�k�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
2�.�0�.�5�0�7�2�7�.�1�4�3�3�
C�o�m�m�e�n�t�s�
F�l�a�v�o�r�=�R�e�t�a�i�l�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
S�o�f�t�w�a�r�e�\�M�i�c�r�o�s�o�f�t�\�V�i�s�u�a�l�S�t�u�d�i�o�\�7�.�0�
R�E�G�I�S�T�R�Y�
M�o�d�u�l�e�
M�O�D�U�L�E�_�D�I�R�
M�O�D�U�L�E�_�N�A�M�E�
R�E�G�R�O�O�T�E�N�D�
R�E�G�R�O�O�T�B�E�G�I�N�
S�A�P�P�_�O�B�J�E�C�T�
M�E�N�U�_�R�E�S�
M�E�N�U�_�P�K�G�_�G�U�I�D�
�N�o�R�e�m�o�v�e� �
R�E�G�I�S�T�R�Y�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�4�0�9�0�4�B�0�
C�o�m�p�a�n�y�N�a�m�e�
M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
V�i�s�u�a�l� �S�t�u�d�i�o� �E�n�v�i�r�o�n�m�e�n�t� �C�o�m�m�a�n�d� �d�e�f�i�n�i�t�i�o�n� �D�L�L�
F�i�l�e�V�e�r�s�i�o�n�
7�.�0�0�.�9�0�6�4�.�9�1�2�2�
I�n�t�e�r�n�a�l�N�a�m�e�
c�m�d�d�e�f�.�d�l�l�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
C�o�p�y�r�i�g�h�t� �(�C�)� �M�i�c�r�o�s�o�f�t� �C�o�r�p�.� �1�9�9�2�-�2�0�0�1�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
c�m�d�d�e�f�.�d�l�l�
P�r�o�d�u�c�t�N�a�m�e�
M�i�c�r�o�s�o�f�t� �D�e�v�e�l�o�p�m�e�n�t� �E�n�v�i�r�o�n�m�e�n�t�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
7�.�0�0�.�9�0�6�4�.�9�1�2�2�
0�0�0�0�0�4�e�4�
B�u�i�l�t� �b�y�
V�S�B�u�i�l�d�L�a�b�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
I�M�e�m�b�e�r�s�h�i�p�C�o�n�d�i�t�i�o�n�
7�.�0�.�5�0�0�0�.�0�
1�.�0�.�5�0�0�0�.�0�M�i�c�r�o�s�o�f�t�.�V�i�s�u�a�l�B�a�s�i�c�.�V�s�a�,� �V�e�r�s�i�o�n�=�7�.�0�.�5�0�0�0�.�0�,� �C�u�l�t�u�r�e�=�n�e�u�t�r�a�l�,� �P�u�b�l�i�c�K�e�y�T�o�k�e�n�=�b�0�3�f�5�f�7�f�1�1�d�5�0�a�3�a�M�i�c�r�o�s�o�f�t�.�J�S�c�r�i�p�t�,� �V�e�r�s�i�o�n�=�7�.�0�.�5�0�0�0�.�0�,� �C�u�l�t�u�r�e�=�n�e�u�t�r�a�l�,� �P�u�b�l�i�c�K�e�y�T�o�k�e�n�=�b�0�3�f�5�f�7�f�1�1�d�5�0�a�3�a�M�i�c�r�o�s�o�f�t�.�V�i�s�u�a�l�B�a�s�i�c�.�V�s�a�.�D�t�,� �V�e�r�s�i�o�n�=�7�.�0�.�5�0�0�0�.�0�,� �C�u�l�t�u�r�e�=�n�e�u�t�r�a�l�,� �P�u�b�l�i�c�K�e�y�T�o�k�e�n�=�b�0�3�f�5�f�7�f�1�1�d�5�0�a�3�a�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�0�0�0�0�4�b�0�
C�o�m�m�e�n�t�s�
C�u�s�t�o�m� �m�e�m�b�e�r�s�h�i�p� �c�o�n�d�i�t�i�o�n�
C�o�m�p�a�n�y�N�a�m�e�
M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
C�u�s�t�o�m� �m�e�m�b�e�r�s�h�i�p� �c�o�n�d�i�t�i�o�n�
F�i�l�e�V�e�r�s�i�o�n�
7�.�1�0�.�5�0�7�7�.�0�
I�n�t�e�r�n�a�l�N�a�m�e�
m�s�o�s�e�c�.�d�l�l�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
C�o�p�y�r�i�g�h�t�
�M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�.� � �A�l�l� �r�i�g�h�t�s� �r�e�s�e�r�v�e�d�.�
L�e�g�a�l�T�r�a�d�e�m�a�r�k�s�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
m�s�o�s�e�c�.�d�l�l�
P�r�o�d�u�c�t�N�a�m�e�
V�i�s�u�a�l� �S�t�u�d�i�o� �.�N�E�T� �T�o�o�l�s� �f�o�r� �O�f�f�i�c�e�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
7�.�1�0�.�5�0�7�7�.�0�
A�s�s�e�m�b�l�y� �V�e�r�s�i�o�n�
7�.�0�.�5�0�0�0�.�0�
P�r�o�g�r�a�m� �F�i�l�e�s�
N�e�t�T�i�m�e�
N�e�t�T�i�m�e�.�e�x�e�
0�.�.�\�.�.�\�.�.�\�.�.�\�.�.�\�P�r�o�g�r�a�m� �F�i�l�e�s�\�N�e�t�T�i�m�e�\�N�e�t�T�i�m�e�.�e�x�e�
C�:�\�P�r�o�g�r�a�m� �F�i�l�e�s�\�N�e�t�T�i�m�e�
&�'�(�)�+�,�.�0�3�
r�1�1�2�3�4�6�8�
B�B�C�D�E�G�I�
T�T�T�U�V�W�Y�
e�e�e�f�g�h�i�
v�v�v�w�x�y�z�
�#�&�(�*�*�*�
+�*�(�%�"� �
�#�&�(�*�+�+�
)�(�'�%�#�"� � � �!�"�$�&�'�)�)�)�
I�B�;�3�+�#�
^�_�a�b�d�f�i�l�o�s�x�
}�i�Y�H�7�%�
R�N�K�G�C�C�C�C�C�C�C�C�D�D�
}�s�h�^�T�I�?�>�>�=�=�9�4�0�+�'�"�
}�s�h�^�T�I�?�>�>�=�=�9�4�0�+�'�"�
|�i�V�E�4�%�
y� � �}�w�y�
{�s�j�b�Y�_�
w�n�f�]�U�L�R�
}�t�k�b�Y�P�H�?�E�
y�p�h�_�V�M�D�;�2�8�
n�e�[�R�I�@�7�.�%�+�
d�g�k�n�r�u�y�
}�o�a�U�K�B�:�5�1�/�/�1�
"�*�1�:�D�P�
"�)�2�;�D�N�W�`�i�r�v�
!�(�1�9�B�K�T�]�e�n�r�
�'�/�8�@�I�Q�Y�b�j�m�
�&�.�6�>�F�N�V�^�f�i�
%�-�4�<�D�K�S�Z�b�d�
$�+�3�:�B�I�P�W�^�`�
#�*�1�8�?�E�L�S�Z�\�\�
!�(�.�5�<�C�I�P�V�X�X�
�&�-�3�9�@�F�L�R�S�T�
�%�+�1�7�=�C�I�O�O�O�O�
#�4�D�T�e�w�
C�:�\�U�s�e�r�s�\�A�d�m�i�n�i�s�t�r�a�t�o�r�\�D�e�s�k�t�o�p�\�f�p�_�1�8�.�0�.�0�.�2�0�3�_�a�r�c�h�i�v�e�.�z�i�p�
C�o�l�o�r�E�d�i�t�o�r�A�c�c�N�a�m�e�
C�o�l�o�r�E�d�i�t�o�r�P�a�l�e�t�t�e�T�a�b�
C�o�l�o�r�E�d�i�t�o�r�S�t�a�n�d�a�r�d�T�a�b�
C�o�l�o�r�E�d�i�t�o�r�S�y�s�t�e�m�T�a�b�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�A�c�c�N�a�m�e�#�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�C�e�n�t�e�r�A�c�c�N�a�m�e�5�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�L�e�f�t�A�c�c�N�a�m�e�D�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�R�i�g�h�t�A�c�c�N�a�m�e�Q�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�C�e�n�t�e�r�A�c�c�N�a�m�e�_�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�L�e�f�t�A�c�c�N�a�m�e�n�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�R�i�g�h�t�A�c�c�N�a�m�e�{�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�R�i�g�h�t�A�c�c�N�a�m�e�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�A�s�s�e�m�b�l�y�N�o�t�F�o�u�n�d�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�B�a�d�T�o�o�l�b�o�x�I�t�e�m�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�B�a�d�T�o�o�l�b�o�x�I�t�e�m�W�i�t�h�E�x�c�e�p�t�i�o�n�
b�i�t�m�a�p�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
i�c�o�n�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
i�m�a�g�e�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
m�e�t�a�f�i�l�e�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
D�e�f�i�n�e� �C�o�l�o�r�
M�S� �S�a�n�s� �S�e�r�i�f�
C�o�l�o�r�|�
S�&�o�l�i�d�
&�G�r�e�e�n�:�
B�l�&�u�e�:�
&�A�d�d� �C�o�l�o�r�
&�C�l�o�s�e�
9�"�E�$�E�a�
�!�$�"�%�$�(�
#�"�$�"�%�"�(�'�
S�y�s�t�e�m�.�D�r�a�w�i�n�g�.�D�e�s�i�g�n�.�S�R�
i�m�a�g�e�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
b�i�t�m�a�p�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
C�o�l�o�r�E�d�i�t�o�r�P�a�l�e�t�t�e�T�a�b�
C�o�l�o�r�E�d�i�t�o�r�S�t�a�n�d�a�r�d�T�a�b�
C�o�l�o�r�E�d�i�t�o�r�S�y�s�t�e�m�T�a�b�
C�o�l�o�r�E�d�i�t�o�r�A�c�c�N�a�m�e�
c�o�l�o�r�d�l�g�.�d�a�t�a�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�R�i�g�h�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�R�i�g�h�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�R�i�g�h�t�A�c�c�N�a�m�e�
d�e�s�i�g�n�e�r�
i�c�o�n�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
m�e�t�a�f�i�l�e�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
d�a�t�a�O�b�j�e�c�t�
t�o�o�l�T�y�p�e�
A�s�s�e�m�b�l�y� �E�n�u�m�e�r�a�t�i�o�n� �D�o�m�a�i�n�
c�o�n�t�a�i�n�e�r�
c�r�e�a�t�o�r�
f�o�r�m�a�t�
t�o�o�l�b�o�x�I�t�e�m�
c�a�t�e�g�o�r�y�
s�e�r�i�a�l�i�z�e�d�O�b�j�e�c�t�
f�i�l�t�e�r�A�t�t�r�i�b�u�t�e�s�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�A�s�s�e�m�b�l�y�N�o�t�F�o�u�n�d�
T�b�x�I�C�_�D�a�t�a�O�b�j�e�c�t�F�o�r�m�a�t�s�
T�b�x�I�C�_�D�a�t�a�O�b�j�e�c�t�V�a�l�u�e�s�
C�F�_�T�O�O�L�B�O�X�I�T�E�M�C�O�N�T�A�I�N�E�R�
C�F�_�T�O�O�L�B�O�X�I�T�E�M�C�O�N�T�A�I�N�E�R�_�H�A�S�H�
C�F�_�T�O�O�L�B�O�X�I�T�E�M�C�O�N�T�A�I�N�E�R�_�C�O�N�T�E�N�T�S�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�B�a�d�T�o�o�l�b�o�x�I�t�e�m�W�i�t�h�E�x�c�e�p�t�i�o�n�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�B�a�d�T�o�o�l�b�o�x�I�t�e�m�
A�s�s�e�m�b�l�y�N�a�m�e�
S�t�r�e�a�m�
i�m�a�g�e�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
C�o�l�o�r�E�d�i�t�o�r�S�y�s�t�e�m�T�a�b�
C�o�l�o�r�E�d�i�t�o�r�S�t�a�n�d�a�r�d�T�a�b�
b�i�t�m�a�p�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
C�o�l�o�r�E�d�i�t�o�r�P�a�l�e�t�t�e�T�a�b�
i�c�o�n�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
m�e�t�a�f�i�l�e�F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�T�o�p�R�i�g�h�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�M�i�d�d�l�e�R�i�g�h�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�L�e�f�t�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�C�e�n�t�e�r�A�c�c�N�a�m�e�
C�o�n�t�e�n�t�A�l�i�g�n�m�e�n�t�E�d�i�t�o�r�B�o�t�t�o�m�R�i�g�h�t�A�c�c�N�a�m�e�
C�o�l�o�r�E�d�i�t�o�r�A�c�c�N�a�m�e�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�B�a�d�T�o�o�l�b�o�x�I�t�e�m�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�B�a�d�T�o�o�l�b�o�x�I�t�e�m�W�i�t�h�E�x�c�e�p�t�i�o�n�
T�o�o�l�b�o�x�S�e�r�v�i�c�e�A�s�s�e�m�b�l�y�N�o�t�F�o�u�n�d�
a�c�t�i�v�e�d�s�.�d�l�l�
a�d�v�a�p�i�3�2�.�d�l�l�
c�o�m�c�t�l�3�2�.�d�l�l�
c�o�m�d�l�g�3�2�.�d�l�l�
g�d�i�3�2�.�d�l�l�
g�d�i�p�l�u�s�.�d�l�l�
h�h�c�t�r�l�.�o�c�x�
i�m�m�3�2�.�d�l�l�
k�e�r�n�e�l�3�2�.�d�l�l�
L�o�a�d�p�e�r�f�.�d�l�l�
m�s�c�o�r�e�e�.�d�l�l�
m�s�c�o�r�w�k�s�.�d�l�l�
m�s�i�.�d�l�l�
m�q�r�t�.�d�l�l�
n�t�d�l�l�.�d�l�l�
o�l�e�3�2�.�d�l�l�
o�l�e�a�c�c�.�d�l�l�
o�l�e�a�u�t�3�2�.�d�l�l�
o�l�e�p�r�o�3�2�.�d�l�l�
p�e�r�f�c�o�u�n�t�e�r�.�d�l�l�
P�o�w�r�p�r�o�f�.�d�l�l�
p�s�a�p�i�.�d�l�l�
s�h�e�l�l�3�2�.�d�l�l�
s�h�f�o�l�d�e�r�.�d�l�l�
u�s�e�r�3�2�.�d�l�l�
u�x�t�h�e�m�e�.�d�l�l�
w�i�n�m�m�.�d�l�l�
w�i�n�s�p�o�o�l�.�d�r�v�
w�t�s�a�p�i�3�2�.�d�l�l�
v�e�r�s�i�o�n�.�d�l�l�
v�s�a�s�s�e�r�t�.�d�l�l�
s�h�l�w�a�p�i�.�d�l�l�
c�r�y�p�t�3�2�.�d�l�l�
o�d�b�c�3�2�.�d�l�l�
S�y�s�t�e�m�.�D�a�t�a�.�d�l�l�
o�c�i�.�d�l�l�
o�r�a�m�t�s�.�d�l�l�
C�F�_�T�O�O�L�B�O�X�I�T�E�M�C�O�N�T�A�I�N�E�R�
C�F�_�T�O�O�L�B�O�X�I�T�E�M�C�O�N�T�A�I�N�E�R�_�C�O�N�T�E�N�T�S�
C�F�_�T�O�O�L�B�O�X�I�T�E�M�C�O�N�T�A�I�N�E�R�_�H�A�S�H�
T�b�x�I�C�_�D�a�t�a�O�b�j�e�c�t�F�o�r�m�a�t�s�
T�b�x�I�C�_�D�a�t�a�O�b�j�e�c�t�V�a�l�u�e�s�
A�s�s�e�m�b�l�y�N�a�m�e�
S�t�r�e�a�m�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�4�0�9�0�4�B�0�
C�o�m�p�a�n�y�N�a�m�e�
M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
.�N�E�T� �F�r�a�m�e�w�o�r�k�
F�i�l�e�V�e�r�s�i�o�n�
2�.�0�.�5�0�7�2�7�.�1�4�3�3� �(�R�E�D�B�I�T�S�.�0�5�0�7�2�7�-�1�4�0�0�)�
I�n�t�e�r�n�a�l�N�a�m�e�
S�y�s�t�e�m�.�D�r�a�w�i�n�g�.�D�e�s�i�g�n�.�d�l�l�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
�M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�.� � �A�l�l� �r�i�g�h�t�s� �r�e�s�e�r�v�e�d�.�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
S�y�s�t�e�m�.�D�r�a�w�i�n�g�.�D�e�s�i�g�n�.�d�l�l�
P�r�o�d�u�c�t�N�a�m�e�
M�i�c�r�o�s�o�f�t�
�.�N�E�T� �F�r�a�m�e�w�o�r�k�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
2�.�0�.�5�0�7�2�7�.�1�4�3�3�
C�o�m�m�e�n�t�s�
F�l�a�v�o�r�=�R�e�t�a�i�l�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
S�o�f�t�w�a�r�e�\�M�i�c�r�o�s�o�f�t�\�V�i�s�u�a�l�S�t�u�d�i�o�\�7�.�0�
R�E�G�I�S�T�R�Y�
M�o�d�u�l�e�
M�O�D�U�L�E�_�D�I�R�
M�O�D�U�L�E�_�N�A�M�E�
R�E�G�R�O�O�T�E�N�D�
R�E�G�R�O�O�T�B�E�G�I�N�
S�A�P�P�_�O�B�J�E�C�T�
M�E�N�U�_�R�E�S�
M�E�N�U�_�P�K�G�_�G�U�I�D�
�N�o�R�e�m�o�v�e� �
R�E�G�I�S�T�R�Y�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�4�0�9�0�4�B�0�
C�o�m�p�a�n�y�N�a�m�e�
M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
V�i�s�u�a�l� �S�t�u�d�i�o� �E�n�v�i�r�o�n�m�e�n�t� �C�o�m�m�a�n�d� �d�e�f�i�n�i�t�i�o�n� �D�L�L�
F�i�l�e�V�e�r�s�i�o�n�
7�.�0�0�.�9�0�6�4�.�9�1�2�2�
I�n�t�e�r�n�a�l�N�a�m�e�
c�m�d�d�e�f�.�d�l�l�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
C�o�p�y�r�i�g�h�t� �(�C�)� �M�i�c�r�o�s�o�f�t� �C�o�r�p�.� �1�9�9�2�-�2�0�0�1�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
c�m�d�d�e�f�.�d�l�l�
P�r�o�d�u�c�t�N�a�m�e�
M�i�c�r�o�s�o�f�t� �D�e�v�e�l�o�p�m�e�n�t� �E�n�v�i�r�o�n�m�e�n�t�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
7�.�0�0�.�9�0�6�4�.�9�1�2�2�
0�0�0�0�0�4�e�4�
B�u�i�l�t� �b�y�
V�S�B�u�i�l�d�L�a�b�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
I�M�e�m�b�e�r�s�h�i�p�C�o�n�d�i�t�i�o�n�
7�.�0�.�5�0�0�0�.�0�
1�.�0�.�5�0�0�0�.�0�M�i�c�r�o�s�o�f�t�.�V�i�s�u�a�l�B�a�s�i�c�.�V�s�a�,� �V�e�r�s�i�o�n�=�7�.�0�.�5�0�0�0�.�0�,� �C�u�l�t�u�r�e�=�n�e�u�t�r�a�l�,� �P�u�b�l�i�c�K�e�y�T�o�k�e�n�=�b�0�3�f�5�f�7�f�1�1�d�5�0�a�3�a�M�i�c�r�o�s�o�f�t�.�J�S�c�r�i�p�t�,� �V�e�r�s�i�o�n�=�7�.�0�.�5�0�0�0�.�0�,� �C�u�l�t�u�r�e�=�n�e�u�t�r�a�l�,� �P�u�b�l�i�c�K�e�y�T�o�k�e�n�=�b�0�3�f�5�f�7�f�1�1�d�5�0�a�3�a�M�i�c�r�o�s�o�f�t�.�V�i�s�u�a�l�B�a�s�i�c�.�V�s�a�.�D�t�,� �V�e�r�s�i�o�n�=�7�.�0�.�5�0�0�0�.�0�,� �C�u�l�t�u�r�e�=�n�e�u�t�r�a�l�,� �P�u�b�l�i�c�K�e�y�T�o�k�e�n�=�b�0�3�f�5�f�7�f�1�1�d�5�0�a�3�a�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�0�0�0�0�4�b�0�
C�o�m�m�e�n�t�s�
C�u�s�t�o�m� �m�e�m�b�e�r�s�h�i�p� �c�o�n�d�i�t�i�o�n�
C�o�m�p�a�n�y�N�a�m�e�
M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
C�u�s�t�o�m� �m�e�m�b�e�r�s�h�i�p� �c�o�n�d�i�t�i�o�n�
F�i�l�e�V�e�r�s�i�o�n�
7�.�1�0�.�5�0�7�7�.�0�
I�n�t�e�r�n�a�l�N�a�m�e�
m�s�o�s�e�c�.�d�l�l�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
C�o�p�y�r�i�g�h�t�
�M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�.� � �A�l�l� �r�i�g�h�t�s� �r�e�s�e�r�v�e�d�.�
L�e�g�a�l�T�r�a�d�e�m�a�r�k�s�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
m�s�o�s�e�c�.�d�l�l�
P�r�o�d�u�c�t�N�a�m�e�
V�i�s�u�a�l� �S�t�u�d�i�o� �.�N�E�T� �T�o�o�l�s� �f�o�r� �O�f�f�i�c�e�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
7�.�1�0�.�5�0�7�7�.�0�
A�s�s�e�m�b�l�y� �V�e�r�s�i�o�n�
7�.�0�.�5�0�0�0�.�0�
P�r�o�g�r�a�m� �F�i�l�e�s�
N�e�t�T�i�m�e�
N�e�t�T�i�m�e�.�e�x�e�
0�.�.�\�.�.�\�.�.�\�.�.�\�.�.�\�P�r�o�g�r�a�m� �F�i�l�e�s�\�N�e�t�T�i�m�e�\�N�e�t�T�i�m�e�.�e�x�e�
C�:�\�P�r�o�g�r�a�m� �F�i�l�e�s�\�N�e�t�T�i�m�e�
&�'�(�)�+�,�.�0�3�
r�1�1�2�3�4�6�8�
B�B�C�D�E�G�I�
T�T�T�U�V�W�Y�
e�e�e�f�g�h�i�
v�v�v�w�x�y�z�
�#�&�(�*�*�*�
+�*�(�%�"� �
�#�&�(�*�+�+�
)�(�'�%�#�"� � � �!�"�$�&�'�)�)�)�
I�B�;�3�+�#�
^�_�a�b�d�f�i�l�o�s�x�
}�i�Y�H�7�%�
R�N�K�G�C�C�C�C�C�C�C�C�D�D�
}�s�h�^�T�I�?�>�>�=�=�9�4�0�+�'�"�
}�s�h�^�T�I�?�>�>�=�=�9�4�0�+�'�"�
|�i�V�E�4�%�
y� � �}�w�y�
{�s�j�b�Y�_�
w�n�f�]�U�L�R�
}�t�k�b�Y�P�H�?�E�
y�p�h�_�V�M�D�;�2�8�
n�e�[�R�I�@�7�.�%�+�
d�g�k�n�r�u�y�
}�o�a�U�K�B�:�5�1�/�/�1�
"�*�1�:�D�P�
"�)�2�;�D�N�W�`�i�r�v�
!�(�1�9�B�K�T�]�e�n�r�
�'�/�8�@�I�Q�Y�b�j�m�
�&�.�6�>�F�N�V�^�f�i�
%�-�4�<�D�K�S�Z�b�d�
$�+�3�:�B�I�P�W�^�`�
#�*�1�8�?�E�L�S�Z�\�\�
!�(�.�5�<�C�I�P�V�X�X�
�&�-�3�9�@�F�L�R�S�T�
�%�+�1�7�=�C�I�O�O�O�O�
#�4�D�T�e�w�
M�S�E�.�H�X�S�
M�S�E�.�H�X�S�
C�:�\�P�r�o�g�r�a�m� �F�i�l�e�s� �(�x�8�6�)�\�M�i�c�r�o�s�o�f�t� �O�f�f�i�c�e�\�O�f�f�i�c�e�1�2�\�1�0�3�3�\�l�
C�:�\�P�r�o�g�r�a�m� �F�i�l�e�s� �(�x�8�6�)�\�M�i�c�r�o�s�o�f�t� �O�f�f�i�c�e�\�O�f�f�i�c�e�1�2�\�1�0�3�3�\�
Process Tree
- 03148d36d317655ca7853e90a4a2b45111745208dbba93dcd42d05ed6b9e399c.exe (2600) "C:\Users\Administrator\AppData\Local\Temp\03148d36d317655ca7853e90a4a2b45111745208dbba93dcd42d05ed6b9e399c.exe"
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.