Analysis Report · CAPE Sandbox

Analysis Details

Category	Package	Started	Completed	Duration	Logs
FILE	dll	2026-04-28 00:56:48	2026-04-28 01:00:26	218s
Reports	JSON

Analysis Log

2026-03-05 20:34:37,913 [root] INFO: Date set to: 20260428T00:57:34, timeout set to: 120
2026-04-28 00:57:34,173 [root] DEBUG: Starting analyzer from: C:\drl3__ia
2026-04-28 00:57:34,173 [root] DEBUG: Storing results at: C:\XJKAvEz
2026-04-28 00:57:34,173 [root] DEBUG: Pipe server name: \\.\PIPE\bRdEiig
2026-04-28 00:57:34,173 [root] DEBUG: Python path: C:\Python310
2026-04-28 00:57:34,173 [root] INFO: analysis running as an admin
2026-04-28 00:57:34,173 [root] INFO: analysis package specified: "dll"
2026-04-28 00:57:34,173 [root] DEBUG: importing analysis package module: "modules.packages.dll"...
2026-04-28 00:57:34,188 [root] DEBUG: imported analysis package "dll"
2026-04-28 00:57:34,188 [root] DEBUG: initializing analysis package "dll"...
2026-04-28 00:57:34,188 [lib.common.common] INFO: wrapping
2026-04-28 00:57:34,188 [lib.core.compound] INFO: C:\Users\cape\AppData\Local\Temp already exists, skipping creation
2026-04-28 00:57:34,188 [root] DEBUG: New location of moved file: C:\Users\cape\AppData\Local\Temp\01e3b18bd63981decb384f55
2026-04-28 00:57:34,188 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL option
2026-04-28 00:57:34,188 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL_64 option
2026-04-28 00:57:34,188 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader option
2026-04-28 00:57:34,188 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader_64 option
2026-04-28 00:57:34,313 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2026-04-28 00:57:34,376 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2026-04-28 00:57:34,485 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2026-04-28 00:57:34,516 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2026-04-28 00:57:34,610 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2026-04-28 00:57:34,735 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2026-04-28 00:57:34,813 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2026-04-28 00:57:34,923 [lib.api.screenshot] INFO: Please upgrade Pillow to >= 5.4.1 for best performance
2026-04-28 00:57:34,985 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2026-04-28 00:57:35,001 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2026-04-28 00:57:35,001 [root] DEBUG: Initialized auxiliary module "Browser"
2026-04-28 00:57:35,001 [root] DEBUG: attempting to configure 'Browser' from data
2026-04-28 00:57:35,016 [root] DEBUG: module Browser does not support data configuration, ignoring
2026-04-28 00:57:35,016 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2026-04-28 00:57:35,016 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2026-04-28 00:57:35,016 [root] DEBUG: Initialized auxiliary module "DigiSig"
2026-04-28 00:57:35,016 [root] DEBUG: attempting to configure 'DigiSig' from data
2026-04-28 00:57:35,016 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2026-04-28 00:57:35,016 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2026-04-28 00:57:35,016 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2026-04-28 00:57:36,204 [modules.auxiliary.digisig] DEBUG: File is not signed
2026-04-28 00:57:36,204 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2026-04-28 00:57:36,204 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2026-04-28 00:57:36,204 [root] DEBUG: Initialized auxiliary module "Disguise"
2026-04-28 00:57:36,204 [root] DEBUG: attempting to configure 'Disguise' from data
2026-04-28 00:57:36,204 [root] DEBUG: module Disguise does not support data configuration, ignoring
2026-04-28 00:57:36,204 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2026-04-28 00:57:36,219 [modules.auxiliary.disguise] INFO: Disguising GUID to edfca9f0-b2a7-4a7b-92c3-208899b6a836
2026-04-28 00:57:36,219 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2026-04-28 00:57:36,235 [root] DEBUG: Initialized auxiliary module "Human"
2026-04-28 00:57:36,235 [root] DEBUG: attempting to configure 'Human' from data
2026-04-28 00:57:36,235 [root] DEBUG: module Human does not support data configuration, ignoring
2026-04-28 00:57:36,235 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2026-04-28 00:57:36,251 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2026-04-28 00:57:36,251 [root] DEBUG: Initialized auxiliary module "Screenshots"
2026-04-28 00:57:36,251 [root] DEBUG: attempting to configure 'Screenshots' from data
2026-04-28 00:57:36,251 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2026-04-28 00:57:36,251 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2026-04-28 00:57:36,298 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2026-04-28 00:57:36,298 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2026-04-28 00:57:36,298 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2026-04-28 00:57:36,298 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2026-04-28 00:57:36,313 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2026-04-28 00:57:36,313 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 644
2026-04-28 00:57:37,829 [lib.api.process] INFO: Monitor config for <Process 644 lsass.exe>: C:\drl3__ia\dll\644.ini
2026-04-28 00:57:37,844 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2026-04-28 00:57:37,860 [lib.api.process] INFO: 64-bit DLL to inject is C:\drl3__ia\dll\EoqgWis.dll, loader C:\drl3__ia\bin\jbmtltnx.exe
2026-04-28 00:57:38,016 [root] DEBUG: Loader: Injecting process 644 with C:\drl3__ia\dll\EoqgWis.dll.
2026-04-28 00:57:38,329 [root] DEBUG: 644: Python path set to 'C:\Python310'.
2026-04-28 00:57:38,329 [root] DEBUG: 644: Disabling sleep skipping.
2026-04-28 00:57:38,344 [root] DEBUG: 644: TLS secret dump mode enabled.
2026-04-28 00:57:38,579 [root] DEBUG: 644: RtlInsertInvertedFunctionTable 0x00007FFEFE86090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEFE9BD500
2026-04-28 00:57:38,610 [root] DEBUG: 644: Monitor initialised: 64-bit capemon loaded in process 644 at 0x00007FFEABE00000, thread 3868, image base 0x00007FF7C23E0000, stack from 0x0000008E4CA72000-0x0000008E4CA80000
2026-04-28 00:57:38,610 [root] DEBUG: 644: Commandline: C:\Windows\system32\lsass.exe
2026-04-28 00:57:38,641 [root] DEBUG: 644: Hooked 5 out of 5 functions
2026-04-28 00:57:38,688 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2026-04-28 00:57:38,704 [root] DEBUG: Successfully injected DLL C:\drl3__ia\dll\EoqgWis.dll.
2026-04-28 00:58:05,516 [lib.api.process] INFO: Injected into 64-bit <Process 644 lsass.exe>
2026-04-28 00:58:05,532 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump
2026-04-28 00:58:05,688 [root] DEBUG: 644: TLS 1.2 secrets logged to: C:\XJKAvEz\tlsdump\tlsdump.log
2026-04-28 00:58:12,641 [root] INFO: Restarting WMI Service
2026-04-28 00:58:12,705 [root] DEBUG: package modules.packages.dll does not support configure, ignoring
2026-04-28 00:58:12,705 [root] WARNING: configuration error for package modules.packages.dll: error importing data.packages.dll: No module named 'data.packages'
2026-04-28 00:58:12,705 [lib.common.common] INFO: Submitted file is missing extension, adding .dll
2026-04-28 00:58:12,705 [lib.core.compound] INFO: C:\Users\cape\AppData\Local\Temp already exists, skipping creation
2026-04-28 00:58:12,751 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\System32\rundll32.exe" with arguments ""C:\Users\cape\AppData\Local\Temp\01e3b18bd63981decb384f55.dll",#1" with pid 5804
2026-04-28 00:58:12,751 [lib.api.process] INFO: Monitor config for <Process 5804 rundll32.exe>: C:\drl3__ia\dll\5804.ini
2026-04-28 00:58:12,751 [lib.api.process] INFO: 32-bit DLL to inject is C:\drl3__ia\dll\bcxciCVv.dll, loader C:\drl3__ia\bin\SuLiCON.exe
2026-04-28 00:58:12,891 [root] DEBUG: Loader: Injecting process 5804 (thread 5800) with C:\drl3__ia\dll\bcxciCVv.dll.
2026-04-28 00:58:12,923 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-28 00:58:12,923 [root] DEBUG: Successfully injected DLL C:\drl3__ia\dll\bcxciCVv.dll.
2026-04-28 00:58:12,938 [lib.api.process] INFO: Injected into 32-bit <Process 5804 rundll32.exe>
2026-04-28 00:58:14,954 [lib.api.process] INFO: Successfully resumed <Process 5804 rundll32.exe>
2026-04-28 00:58:15,844 [root] DEBUG: 5804: Python path set to 'C:\Python310'.
2026-04-28 00:58:15,891 [root] DEBUG: 5804: Disabling sleep skipping.
2026-04-28 00:58:15,907 [root] DEBUG: 5804: Dropped file limit defaulting to 100.
2026-04-28 00:58:15,985 [root] DEBUG: 5804: YaraInit: Compiled 44 rule files
2026-04-28 00:58:16,001 [root] DEBUG: 5804: YaraInit: Compiled rules saved to file C:\drl3__ia\data\yara\capemon.yac
2026-04-28 00:58:16,016 [root] DEBUG: 5804: YaraScan: Scanning 0x00BE0000, size 0x136e8
2026-04-28 00:58:16,016 [root] DEBUG: 5804: Monitor initialised: 32-bit capemon loaded in process 5804 at 0x73bc0000, thread 5800, image base 0xbe0000, stack from 0x2e32000-0x2e40000
2026-04-28 00:58:16,032 [root] DEBUG: 5804: Commandline: "C:\Windows\System32\rundll32.exe" "C:\Users\cape\AppData\Local\Temp\01e3b18bd63981decb384f55.dll",#1
2026-04-28 00:58:17,110 [root] DEBUG: 5804: Yara error: Scanning timed out
2026-04-28 00:58:17,204 [root] DEBUG: 5804: hook_api: Warning - CreateProcessA export address 0x76AE2D90 differs from GetProcAddress -> 0x73F522A0 (AcLayers.DLL::0xfd4a22a0)
2026-04-28 00:58:17,204 [root] DEBUG: 5804: hook_api: Warning - CreateProcessW export address 0x76AC88E0 differs from GetProcAddress -> 0x73F524E0 (AcLayers.DLL::0xfd4a24e0)
2026-04-28 00:58:17,219 [root] DEBUG: 5804: hook_api: Warning - WinExec export address 0x76B0CF20 differs from GetProcAddress -> 0x73F527A0 (AcLayers.DLL::0xfd4a27a0)
2026-04-28 00:58:17,657 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2026-04-28 00:58:17,657 [root] DEBUG: 5804: set_hooks: Unable to hook GetCommandLineA
2026-04-28 00:58:17,673 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2026-04-28 00:58:17,673 [root] DEBUG: 5804: set_hooks: Unable to hook GetCommandLineW
2026-04-28 00:58:18,813 [root] DEBUG: 5804: Hooked 630 out of 632 functions
2026-04-28 00:58:18,829 [root] DEBUG: 5804: Syscall hook installed, syscall logging level 1
2026-04-28 00:58:18,829 [root] DEBUG: 5804: RestoreHeaders: Restored original import table.
2026-04-28 00:58:18,829 [root] INFO: Loaded monitor into process with pid 5804
2026-04-28 00:58:18,845 [root] DEBUG: 5804: caller_dispatch: Added region at 0x00BE0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x00BE5F1A, thread 5800).
2026-04-28 00:58:18,845 [root] DEBUG: 5804: YaraScan: Scanning 0x00BE0000, size 0x136e8
2026-04-28 00:58:18,845 [root] DEBUG: 5804: ProcessImageBase: Main module image at 0x00BE0000 unmodified (entropy change 0.000000e+00)
2026-04-28 00:58:19,188 [root] DEBUG: 5804: InstrumentationCallback: Added region at 0x76AD24AC (base 0x76AB0000) to tracked regions list (thread 5800).
2026-04-28 00:58:19,204 [root] DEBUG: 5804: ProcessTrackedRegion: Region at 0x76AB0000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\kernel32.dll is in known range, skipping
2026-04-28 00:58:19,204 [root] DEBUG: 5804: Target DLL loaded at 0x05FD0000: C:\Users\cape\AppData\Local\Temp\01e3b18bd63981decb384f55 (0x1e000 bytes).
2026-04-28 00:58:19,204 [root] DEBUG: 5804: YaraScan: Scanning 0x05FD0000, size 0x1f0
2026-04-28 00:58:21,532 [root] DEBUG: 5804: InstrumentationCallback: Added region at 0x772833EC (base 0x77150000) to tracked regions list (thread 5800).
2026-04-28 00:58:21,547 [root] DEBUG: 5804: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-04-28 00:58:22,376 [root] DEBUG: 5804: DLL loaded at 0x73B20000: C:\Windows\SYSTEM32\TextShaping (0x94000 bytes).
2026-04-28 00:58:23,032 [root] DEBUG: 5804: DLL loaded at 0x745D0000: C:\Windows\system32\uxtheme (0x74000 bytes).
2026-04-28 00:58:23,251 [root] DEBUG: 5804: DLL loaded at 0x76BA0000: C:\Windows\System32\MSCTF (0xd4000 bytes).
2026-04-28 00:58:23,704 [root] DEBUG: 5804: set_hooks_by_export_directory: Hooked 0 out of 632 functions
2026-04-28 00:58:23,719 [root] DEBUG: 5804: DLL loaded at 0x75250000: C:\Windows\SYSTEM32\kernel.appcore (0xf000 bytes).
2026-04-28 00:58:23,719 [root] DEBUG: 5804: DLL loaded at 0x76D80000: C:\Windows\System32\bcryptPrimitives (0x5f000 bytes).
2026-04-28 00:58:31,079 [root] DEBUG: 5804: DLL loaded at 0x73710000: C:\Windows\SYSTEM32\ntmarta (0x29000 bytes).
2026-04-28 00:58:31,095 [root] DEBUG: 5804: DLL loaded at 0x73740000: C:\Windows\System32\CoreMessaging (0x9b000 bytes).
2026-04-28 00:58:31,095 [root] DEBUG: 5804: DLL loaded at 0x73630000: C:\Windows\SYSTEM32\wintypes (0xdb000 bytes).
2026-04-28 00:58:31,095 [root] DEBUG: 5804: DLL loaded at 0x737E0000: C:\Windows\System32\CoreUIComponents (0x27e000 bytes).
2026-04-28 00:58:31,110 [root] DEBUG: 5804: DLL loaded at 0x73A60000: C:\Windows\SYSTEM32\textinputframework (0xb9000 bytes).
2026-04-28 01:00:15,239 [root] INFO: Analysis timeout hit, terminating analysis
2026-04-28 01:00:15,239 [lib.api.process] INFO: Terminate event set for <Process 5804 rundll32.exe>
2026-04-28 01:00:15,239 [root] DEBUG: 5804: Terminate Event: Attempting to dump process 5804
2026-04-28 01:00:15,239 [root] DEBUG: 5804: VerifyCodeSection: Executable code does not match, 0x153f6 of 0x153f7 matching
2026-04-28 01:00:15,254 [root] DEBUG: 5804: DoProcessDump: Code modification detected, dumping Imagebase at 0x05FD0000.
2026-04-28 01:00:15,254 [root] DEBUG: 5804: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2026-04-28 01:00:15,254 [root] DEBUG: 5804: DumpProcess: Instantiating PeParser with address: 0x05FD0000.
2026-04-28 01:00:15,270 [root] DEBUG: 5804: DumpProcess: Module entry point VA is 0x05FE73F2.
2026-04-28 01:00:15,270 [root] DEBUG: 5804: PeParser: readPeSectionsFromProcess: readSectionFromProcess failed address 0x05FE8000, section 2
2026-04-28 01:00:15,270 [root] DEBUG: 5804: PeParser: readPeSectionsFromProcess: readSectionFromProcess failed address 0x05FEA000, section 3
2026-04-28 01:00:15,738 [lib.common.results] INFO: Uploading file C:\XJKAvEz\CAPE\5804_251741502227142026 to procdump\b7b4d47ba3fc76015fb8c7bb34b6d87f0458375f59d8e89b6a9569948044976b; Size is 88064; Max size: 100000000
2026-04-28 01:00:15,738 [root] DEBUG: 5804: DumpProcess: Module image dump success - dump size 0x15800.
2026-04-28 01:00:15,754 [lib.api.process] INFO: Termination confirmed for <Process 5804 rundll32.exe>
2026-04-28 01:00:15,754 [root] INFO: Terminate event set for process 5804
2026-04-28 01:00:15,754 [root] INFO: Created shutdown mutex
2026-04-28 01:00:15,754 [root] DEBUG: 5804: Terminate Event: monitor shutdown complete for process 5804
2026-04-28 01:00:16,770 [root] INFO: Shutting down package
2026-04-28 01:00:16,770 [root] INFO: Stopping auxiliary modules
2026-04-28 01:00:16,770 [root] INFO: Stopping auxiliary module: Browser
2026-04-28 01:00:16,770 [root] INFO: Stopping auxiliary module: Human
2026-04-28 01:00:19,613 [root] INFO: Stopping auxiliary module: Screenshots
2026-04-28 01:00:20,192 [root] INFO: Finishing auxiliary modules
2026-04-28 01:00:20,192 [root] INFO: Shutting down pipe server and dumping dropped files
2026-04-28 01:00:20,192 [root] WARNING: Folder at path "C:\XJKAvEz\debugger" does not exist, skipping
2026-04-28 01:00:20,192 [root] INFO: Uploading files at path "C:\XJKAvEz\tlsdump"
2026-04-28 01:00:20,192 [lib.common.results] INFO: Uploading file C:\XJKAvEz\tlsdump\tlsdump.log to tlsdump\tlsdump.log; Size is 21098; Max size: 100000000
2026-04-28 01:00:20,207 [root] INFO: Analysis completed

Process Log

Pre-Script Log

During-Script Log

Machine Information

Name	Label	Manager	Started On	Shutdown On
win10x64	win10x64	KVM	2026-04-28 00:56:48	2026-04-28 01:00:25

File Details

File Information

File Name	01e3b18bd63981decb384f55
File Type	PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
File Size	100352 bytes
MD5	9c8242440c47a4f1ce2e47df3c3ddd28
SHA1	874f3caf663265f7dd18fb565d91b7d915031251
SHA256	01e3b18bd63981decb384f558f0321346c3334bb6e6f97c31c6c95c4ab2fe354 VT MWDB Bazaar
SHA3-384	a9b9993935da4f81da652c08d13476b1a9b1baf3bedb362f5ac175fc33b5fc213b0b5decb98df5aca700b0c7e41e316e
CRC32	EDEEDF40
TLSH	T134A3490766CD6EAEDABD4638733307C6C328CE425953D6DE28D420659A3A7D33A033D6
Ssdeep	3072:2m7DYfm4SRR+NaVEs+k6kiS+94ERR6gR0bRbD:2IoIRRGaVExfd
Yara	DITEKSHEN_MALWARE_Win_Nanocore - Detects NanoCore (ditekSHen) Windows_Trojan_Nanocore_d8c4e3c5 - (Elastic Security) Nanocore_RAT_Gen_2 - Detetcs the Nanocore RAT (Florian Roth) NETDLLMicrosoft - (malware-lu) IsPE32 - IsNET_DLL - IsDLL - IsConsole -

Tools: PE Strings Gen BinGraph

Strings

#=qJMk2mm7JzMNLHm_qiokaBg==
#=qdKcJdwMiOeYxOOef7tprPA==
FileSystemInfo
SurveillanceExClientPlugin.dll
#=qj9ZxzplN98x0cw4vsdTIeAYbm4MuQTx3vvInSGv6TNQ=
#=qmYO5ZdL8rYBU50vW2vu2vA==
#=qNvC_NYQ$jxwZUcf0Dch28Q==
#=q3$2Q8bGYuhwIzDGhDbeVKw==
Concat
MatchCollection
Device
wgdYBzhSP
mscoree.dll
get_Unicode
DecodeDirectBits
Environment
0.0.0.0
#=qSEueyU62hrm3SqHJ6k683A==
#=q_DoWG6qBrmNj2sFXhHToddcMKO0wW3x6VUG0Xl$sx6Q=
_Lambda$__2
#=qCY4x0Hk1DV3VV540zoAoHq44QCRyxMpq9Z7J0uRDONc=
AssemblyName
Handle
$+8)l
WriteCoderProperties
System.Collections
DnsRecord
#=qoESbzrXX757aiWupYaS0Fg==
GetWindowThreadProcessId
System.Resources
\3P0_
GetProcessById
set_Value
#=qLoRN6X6HIt1Xa9meALla1w==
#=qRLsSPguDZ2WiS_9q1jK0OA==
feffeeffeefa
kNumPosStatesBitsEncodingMax
buffer
9feffefeefef
#=qXbC0g0j7eSDHrYXbfI7uUQ==
numPosStates
fefeffefefeYa*&+
#=q1SKypGFVOvRWVSxnayoaZA==
ffefeeffeefa
#=qWJ6BottP3sy8x7gEdcb0bA==
DNSLogging
`Q[;*
Int32
#=qX9Iav0g17FfZrf$Wa_Z$UA==
MethodBase
?lg(*%
#=q1gvzY2QJaRNC2Opj5zvkew==
#=qQtYdx8zGiMcgHSZRdJY2eNz7X7jeIu77OE$6MbjGdow=
Operators
#=qkWsKP7N1mMxiLhNKbBGyYQ==
OutWindow
#Blob
kNumPosStatesEncodingMax
_CorDllMain
#=qjuMRqjMOfCBSkBZ$qdWB7gfgShTNiHkLFmJMr9kwm2s=
dictionarySize
System.Text.RegularExpressions
m_IsRepG1Decoders
AddRange
m_NumPosStates
#=qitflJGbE1LvsFZhH2KI8iw==
m_IsRepG2Decoders
w,>XG
FxtdFQ
#=qLkA5Ktc2Vyv3E0oIB4RaGKVcXXSrFPOpFhegspshwsM=
#=q3On07nwtezKDVaTvvy7hQw==
System.Text
DefaultMemberAttribute
#=q_lmCRPO7dEMifptlI90PUI6fTs37DVMnLP3Tc_99pO9b_Ar2C6S3QjxXlqu$2$Ji
Lzma#
#=qMf1osOFZtYMmK9zzNx40rfvv_YoLwDp8OMEKs9fpung=
*g<G#
#=qyu3NT2dToM$yBnnmjJpX_A==
GetFileName
r1@bR
m_NumPosBits
BeginInvoke
#=q$JRP3cfSdESKqcBwdqroDA==
*feffeefefa(k
}f?}(
#=qnK4q617M6jpGr1Yao9yYqS$4rymgiQhJ4ZFnefse3xw=
#=qeoqI9zQPLOZjV1JthHFzOD41rl7NT5wwztozAPfluxU=
#=q87OQiW26GT5YhhifxB1ycQ==
#=qbq1zwN5cBc2zVzfqhNqQ3A==
#=qZEddNhTPipNw6nrWW_Y$yg==
#=qC8mTOCLir0glpBrmJ0SdnmHHFbkpzCiiLHzNBfM8wGI=
#=q$lfwQP3V$fI_eAT4UNT4Xw==
_windowSize
#=qVfaUfLDWAzF$RlYVgj1wNF8n8kmTu$wot2J$tCjGN8Y=
pL;tw3^
kNumPosSlotBits
#=qwEixqO2naf_HFyLxM_Gcyg==
DictionarySize
#=q6OFP010g5soKgnTnbmu3Kw==
#=qnKUfPP6szza9tbB6nUy8xg==
m_LiteralDecoder
#=qbSzob7di0xhquDotppyDIQ==
#=qQYHJ9cbQC48EyKpwpB16nA==
VarFileInfo
#=q44Ge7WkJpSnGLK6MLWcFSRNgYnrWBmFZXNBBEoIIDaA=
#=q4JZtAkw1AbHjZDLXOWX1S7hObryEvjHFr2lpmZRKKqk=
UsedMemorySize
ExportLogs
CreateParams
kNumLowLenSymbols
System.Runtime.CompilerServices
m_RangeDecoder
propIDs
#=qFmRvgsWHCKQ4mLv0tVX1LpXWrQGWBW2uPMRDDZBQ3NE=
#=qEpLGwcDnU1CmOXL0_Q9_G3ma45ep4FwMouAEwhe3UDs=
#=qfr01crnlLbYOSEVqdzZl_w==
#=qtHnEPLPkk7hMadnASVBYOQ==
#=q8m3eeZ3I1fe5NWroFByPwA==
GetMethod
#=qK2wA50V2hd26U81M2F89yA==
#=q_jsSB3r53EMKsX0IF7998lJdtArDwZA$R1FORxem2gw=
#=qIgstGGQ5QFyArsA4tFZ9gMXl2Z1n7FQM8Ir5yEhe7bg=
3N,6T*
IAsyncResult
wwwwww
EndInvoke
Algorithm
#=qn5IIXKsG$Rjf5NLYW0itfKOM31oZHLt3gLqf2_kftP8=
Exists
Clipboard
stream
#=qswcK7hT_kB0QKWfJkx5yaA==
command
#=qdp3_X66oJZlpIuv5LiL7oQ==
#=qdGm5exfEhNFieJscVwP7Ig==
User32.dll
kNumLenToPosStates
SetDictionarySize
.text
NumBitLevels
tWG:ga6z
Capture
_.S1y#
GuidAttribute
#=qnYAWlQj57yOiw8G56cyZ1xAHaR1U7XOmUh4Dl1Ry2dw=
NanoCore
FileStream
MemberInfo
AssemblyTrademarkAttribute
kNumRepDistances
#=qpnx7zwfabY$GPmx17OGM$Q==
$b@k,
Match
#=qm3$lqQFHE5yybYEUJcsoLQ==
DateTime
IDisposable
LoggingCommand
#=qZa8aL9QQpAct_eZ$OvV3DGt0jcd0qAWUB$fEqNjyKFc=
#=qI9SaxQ9YixVXqEOEyYy4jg==
GetRuntimeDirectory
#=qGISQnMqbcWeKV0TurcNIKw==
ProductVersion
#=qzJW9ga54odAXLIjfGeC53w==
#=qoYvuV7eCvAwMxHUFDJS8wA==
Models
FileDescription
@.reloc
ffeefefeffea
#=qYqZmZ8i0gJ622Li_3yoHLg==
DebuggerDisplayAttribute
w,khq
w,&0,){
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
get_Position
#=qMHZxfZF2XEPb0lw4JSM_Rw==
IClientLoggingHost
#=qqMa2dn7Mo8AUqcdTNVrKnysHWb5y124IcjK25vm9eZo=
#=qt$d$Ds4e4Jw1OgazOrFmP7IjRAhcajYSRQ3nV1Gv_gE=
Wow64GetThreadContext
kMatchMinLen
#=qGcjgY6CoWEyIyBHhl8IOzBWznvmxUV$ea7X6DYChG4I=
#=qTL5DPmA8W6iSCBjEJji2rQ==
#=q$rj0ypz44wmTUIatF3mcCg==
#=qsgunsIbevOIs8JXy3CoZMA==
GetObject
#=qs2bxKs15DbteFYTMsjthM8IIAMC9Avo9uFWUE1JbxpU=
#=qTYMI4cCoxNXwMnM7O2jYeq5drMeUlMrrV09hYVC9erY=
GetDirectories
kAlignMask
*Q:Z<B
GetDirectoryName
#=qE6F54GYIBpn$BZEfY630Wg==
Thread
CreateDirectory
ffeeffefefea
#=qIi_Ou2QI9eJprahHe$q2OQ==
Index
#=q3Z5wFl9_0OdP0OU1ZerzvQ==
#=qZiNMDewvnldx4qzy3_KAqsLzOSv7XeVY6NGBzI7UWoI=
#=qUEJZL$C$BINDXimDMMdI001yzN7JKwKsT6fA3y_33Zs=
#=qX0mlJ6fIIwM2M3pw4kuJng==
#=qVtDJRWPjI1BzmKOCciT_67L$pos6o3jsSqZbgwOmTXo=
CopyBlock
PutByte
"HL%=1
kMatchMaxLen
IClientData
Directory
#=q_epRHVto2biCMMVbfiHzdQ==
#=qRJ08F9z0iJoY3iiXB0Qlrw==
000004b0
ReadLine
#=qmoIs$6x0ZDyGXIN93fBP0w==
#=qL7K9B3ZmF8NvfG9na7qxaiahB_Fp2Mn46HhJZMIv3sM=
m_PosSlotDecoder
Translation
mscorlib
#=q9T22Isi75tDHRtquK1dSvA==
RuntimeHelpers
IWriteCoderProperties
#=qmUIbDGkqnZakNX$ZVNONlw==
#=qtkP1JPc7yNllp83Le5QCNA==
#=qtD63hWVl90223y03RXLNrA==
-%&~P
#=qzR6FgwKHQePmETWSV3UHVg==
IClientReadOnlyNameObjectCollection
#=q2YB5GAXeEvmYmIsxoHVu4uVCCNRqFNZApRAwgfaevQg=
kNumPosStatesMax
UM>!NC'O
#=qwyZBd1E$zygsKRdrCM1tlg==
#=qadlAy0ld3tNeu$IcI$2Jq_Arv7ASxtaLzDJHV4HhJlY=
HideModuleNameAttribute
_Lambda$__7
Default
#=qWmdtsGcuMivbk1JtTASVvg==
recordList
o M(d
outStream
#=qSseLs6pMe5FoflVo2bRqOQ==
Wow64SetThreadContext
rawInputDevices
ToLower
IsCharState
SetDecoderProperties
Boolean
8.0.0.0
q<+-T5
#=qur7j1M5vHkSPasucOkbcNw==
J{4!jpH
Order
SendMessage
#=qBcPm_drbp7ocdEoXBCg55Q==
pAB|"
Matches
#=qbVZ2VGZYhcslyt7WOHvByg==
#=qZrBp2zQvnJP1R2KqzmmR8A==
#=qt5WsljHA_z4lWKJJiNRSEGCnAbuC8NDsfhiN_p8Vhq4=
System.Security
Resources.resources
Exception
td8V/
Sleep
#=q$eByR1alsjlxVI5xhSAtpg==
#=qUvNuZD70A1m1h5rP8mt7hxHu6e1_lErn05OLHflfW_U=
#=qMxv2Vlcc2Tp8j_uByDYyGJMxccShzf3B6SeYq7g7Daw=
TimeSpan
DecodeWithMatchByte
Tc#Cf
#=q0$8sFvWAj3Q5z0kt5$qL1A==
GetString
#=q2gdZtLtmxCrF2SEuXdll9g==
#GUID
#=qy7SdMitZjkIreiUV191vv9ssNSzMPuW8jMow5TTkIUU=
AssemblyDescriptionAttribute
afeffeeffefe
#=qG_YyprUv4EKXjeIN$dVZHA==
#=qlAdkkonfdPbm4KDS2op$vaZdX8byjv$LxAv$dtNhCYM=
#=qiuuc1hm1qoPzINMXy6yo6g==
_Lambda$__10
Flush
get_UserName
#=qf$JSULqR8FwRBjD8O35M78CMWrW22oajqxT6WI8BsvY=
#=qpQA5HetEkOqW8wCwEjKRvA==
GetBytes
& v<y
Microsoft.VisualBasic.Devices
#=qM20PlP1dETH_UsxzbJfTKA==
kNumMidLenSymbols
RawInputKeyboard
#=qW2f_iwWmYEr7F$sLsSJyUQOLwNV7jFL4HCiEoxW8lh4=
#=qJaPb45IJRsbtEzYPWDbNwpthPAgk3ktYb4cxU6CRRns=
#=qaouzCOurd1KB0CsJ9gMIzQ==
#=qNX0lYEuSQ$nDBW9nSNQAZQ==
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
BitConverter
set_Position
ReadByte
ChangeClipboardChain
>5n4T
#=qjPdKXesXFUYK$lTAuWfj4g==
#=qZ8jdBbqDQs5U27LEbuhkeA==
#=q2oxbm0Yzi5XQVj1QkCC71A==
VUyP`"
StandardModuleAttribute
#=qwJ4w0jkRVthW3ex8w5dly$cWay1Am4JSh9ZTwaXqcz4=
kNumPosModels
#=qFIAR8B1f$tNJs2xhTgINCnRaZkcxVSBxxXtjUtb7Whs=
#=qMwDyeKYTOkSPK81Bwd7OY2mUhsDwOc5zugQnqg1ZfW0=
#=qc3C7cwFHdA0fP9ewBftW90qaZ7YCZNSkeDx2JbA$rIM=
GetLogs
GetTypeFromHandle
Split
@3n'pA
!FI};
#=qr03MMh5pLoqsU2EEvN6ch6Tr7EGrL5c9eR_71qVrp$c=
,{Uu"p
#=qxns0sTKVsgArVmXl3cFChFnM3Jv6Np_VftoasierUvg=
get_Current
#=qApHfpHzdRAuqPbkbKAzJmptqQgc7NLQ6T4N$H6aQHdw=
4System.Web.Services.Protocols.SoapHttpClientProtocol
FileMode
#=qzx697Szk1moqO$yUynaioQ==
#=qryghDdZnHsy$RagUj_T5aw==
#=q3$4$aeeKw0G6KJpmbsHtCSC3$LdCNMfTzWNTjLVfIoU=
System.Configuration
$a58de1a4-5da5-48e4-8e57-197cc7b39b9b
#=qT03bmh7uoc7QIggZX8722i59yRaiKXEb45q$FKk2uZY=
GetForegroundWindow
#=qfvCuRNoH9u00SSFFCvqZfg==
Enumerator
_Lambda$__1
rangeDecoder
#=qIxjnZll5GhllBN9b$ufZ3w==
PasswordCommand
Process
#=qBvMiXP1hJ6VKxap1MxE0TUe8TQ47t0bgRFkWT_2Ymyk=
#=q5sfq13B7vXg052uxfqu39g==
CoderPropID
]DB?w
m_Decoders
handle
#=qBFvoYJt20gtsoLlWjU7jDuRfeDDIa87upzYCldwrNpI=
headerSize
GetLenToPosState
lR7YPL
#=qsV5K_71ZHH78FtoiXhsOYTV_Csv1aAdiiSCpj2X2l6o=
#=qgHfmPA2gNKnydwzqeSF_2nVCUjp4Sfb3eJfQd$j975A=
GetKeyboardLayout
progress
Microsoft.VisualBasic.CompilerServices
prevByte
ResolveEventHandler
KeyboardCommand
#=qt4h6_$cdnIG2g3BjEtlC9w==
#=qZL$T$hC424exz5$sUQkm7w==
#=qgC0tfaC3XL8FoOE$$1EOPjdVRTBNXr2NN6qMTkS_iSk=
op_Equality
PtrToStructure
#=qmj_W3318X7UXjXz1JgFDnA==
dnsapi.dll
System
CultureInfo
#=qK8YSOZHQFwZhkU76$yIGwZGiGsr64hyFLs_9C0C9am4=
#=qAQlIVHekXJrJwpDPrher5Q==
_[&_C
RawInputDevice
#=qVa4dlGgXioIeYYgbx3$NvQ==
~kItE
m_DictionarySize
DecodeNormal
pvKSg&
#=qPQ2EtheKurZp3OCkjzyyfQ==
#=qCOMF0I9Fd3HxgGmFBDkurw==
nextHandle
#=qXtiqGLzJVH3aswCtlNNiug==
MyGroupCollectionAttribute
#=qrfNBcNMYeC4rLqwqMcn1jQ==
CreateProcess
#=qqLHT7hLUa1CKAG8LwjstJ5pArtyKEnkhPdyr1iCpbvQ=
#=qU1ta1c$LOdIR6a7j6Rj67A==
Group
#=qKm6o1ledVqdR1Rw65bjQpA==
MatchFinder
ToByte
#=qmHLlS2qqUAdmPyMYO7MoCg==
UpdateChar
#=q9kl5SZeUeIanHPXqH8Byvg==
#=qg8F7l$fE22BW2JsfOcHpQA==
Close
#=qLt1igOtnjDbO40cq0340qg==
#=qq9v5LklzRMUWeC0fX17u2w==
7bocd
#=q7SFZv3_X1jh__i0qS$yTrM3aMBoo7MMGOOAa9ltriPA=
get_UTF8
yz)X:
,aNu^
System.ComponentModel
PADPADP
SuppressUnmanagedCodeSecurityAttribute
#=qqH0HzK5dpalJBOwa$wm3qg==
ToString
#=qyyoWizFgb3s$leRoJx8tVA6$nX314Se8B3eVLLvmYmg=
#=qD_tmohqZXqQNhfRrQTYMfA==
wwwwwwwwwwwwww
`.reloc
kNumMidLenBits
#=qPS5ww9Qh4Qg1KnC9SiWQMg==
LegalCopyright
#=qgfJt9ZkqNp_s2eN$EF8lRoKBGN4LufTLNE1dmIBIf28=
CompareString
w,koK
#=qykGtg3M9D9MTgOzaJO5xlg==
(P~GY6*
w,,p\Rn
#=qlZpTa_5oxuNhvwPl6FFKJg==
#=qSq5zYE9oYXENFbc3V2Pe6w==
kNumMoveBits
_cX*n
CompilerGeneratedAttribute
#=qajec5milwVsqpbQNJ3pdAg==
#=qE9U$URsu_c0Ig08qpeApRw==
#=qxNAiPpjp2npMNB0TDaEubA==
Equals
#=qJuchJ7XfDSJXhX78ouEvSDi2Fm4IZfphEm1lxVR84W8=
Extra
#=qtdpI8mE0PC7HKAm0rggvhIxya1OU5XWEFr8n2AbzdwE=
#=qbDWEs19y0rXNZJloHjyEAXFFSfYqbb6nrn10YnV15GU=
inputBytes
#=qyM4k7EGb5X12gk8YOkeNSQ==
#=qkQ6DX9hRr8CpN4pCprp8dKTu5XpWEUA3fFuODRBQebM=
SendTools
#=q$ga0JQ2t4Nzt317dL7s1HA==
#=qFiQXtwwrpPrf6i6Nohe$2A==
#=qizSuKVUZWi22rIa8Z61Irg==
ContextValue`1
SetValue
ResumeThread
#=q6Yv$G4eHDn8gxVVQ7jH00Q==
#=qaeAZ85IK9icf1hoO$eIUgQ==
#=qTm4mE2BvwyQu9opBPZoYvABEXk1NdIbQ5LncPq_d5OQ=
ApplicationLogging
SetLiteralProperties
#=qaGMznr3c$ok6TsLDKsBgpA==
#=qsWLw4NosPP1gi5wOWkKQoz05m2lejq$6CuB$iOBB3AI=
#=qGgwwpS30yt7z7wmA5NNa3g==
_Lambda$__8
#=qHJ9pmoIz378G1x0B31eH2CidaiOdV6DLfrtp1WQ35Q0=
&&+%}!
ReadChar
4qiu%
#=qNkF4$24brNGyMOYlUQj393pFEgGc7yicoZSTjZc2U_k=
#=qt6bzCtEoNTvCkJX9j_4kZA==
get_LParam
#=qBTBFzfYdUs1kd$sDfT5Epz4Tl8141_7UIrCZjDszn5Q=
v2.0.50727
BlockCopy
#Strings
System.Collections.Generic
#=q93VKpOIqdRN9spJigbfgrQ==
#=q55q3lEdynyzHRQ573ELk9w==
Ag<@+[
#=qkz0tRkb9CLbnp8T0rNs8bD38RdjxjzMZ5i$ZzJHTh88=
#=qquAKrvKQMWW7XtSurdlOiBConuNVZHvcIKParMXA0xo=
#=qKdosTQrPrTm1tOzWi7_fuA==
#=qfcadZftcNHMdcc$N_OWH5w==
inStream
ConnectionFailed
Ru0=?+
#=qTHk4ibx53ALvuTHC2wskqA==
NtUnmapViewOfSection
Replace
windowSize
set_Item
!This program cannot be run in DOS mode.
EmailClient
get_Handle
get_Msg
GetTempPath
#=qnWasDZNfCexjVbIXlOnpIw==
ToInt32
EndOfStreamException
Compression.RangeCoder
k,(|T
#=qQJH4ux8HloTlAflsU0KOQw==
_Lambda$__6
DeleteLogs
m_HighCoder
RuntimeMethodHandle
m_IsRepDecoders
#=qSNORDi2PZ1IaS6Ix8w2Ovw==
DirectoryInfo
BuildingHostCache
#=qsKOmOA5TX7dlM04qtgpOst$qgth3kf9KZZgdjC8x01c=
Buffer
#=qqj_P$pMjCtq2aNcNj2bfvufyGKfRlrOOaFr$XqaDVXU=
#=qPiY_FtDE2jSdy0HqtmetjQ==
#=qb3mKZgoJuDEsFa1T9bEUEXgvprlgegmeeniWKKiLI3E=
value__
#=qoqavODXRVVim6fghcoKuUg==
GetValue
#=qxTs7FlUCrQFGhk1vAwkrww==
_stream
m_PosMask
#=q$lT2sqOctP5oFLjWBJEQs0BRL9aPnJgXluSQmhlzNCo=
#=q4Jhplum5EMsDzltMg_L_tgoPjr8zzldX6k5uL$T8QHU=
#=qJmGC3VRVk1ET7LjbQuMLjv1DeKxnDw1Daxs6uZ9$FGs=
RuntimeCompatibilityAttribute
h[S:<
Download
keyState
numPrevBits
SuppressIldasmAttribute
CommandType
CompilationRelaxationsAttribute
fefeffeefXa*&+
#=qzmbTPkKexQ8AS0E1MhJt4_A4SKpUh8ZeSD1Jy_XS9eM=
ffefeeffe
#=qTvTlfv6UWF8IdF6Zqmb35eNfTGusCMVLLnh6QIr8tfc=
ffefeefeffe
#=qr0WxpkU89pDBkkfgDoLSTA==
#=qAtoFurjRifVD18ho1R1Dg_WU5nSHW_qH7pBxN8aFTXc=
get_Count
GetFrame
@pd/\
#=qTSHkb7KjuVyqS$aEfJJbZSroTPY6PUlDcdx_paGstVs=
J$xgm
feffeefefa
4.0.0.0
properties
#=qA_ED7VJLXZPPKs12VIDWHSI60qb9KWEC_8LLPE2krW0=
#=qxwLQaLG4uRX$LJGVfSKAwQ==
CreateInstance
feffefefeY
MultiThread
message
ProjectData
count
posState
#=qv7_G63PaFeyDwnDCC1g_2ru4l8PEzEzyOErEaKVPipg=
#=qHhkScXruXZT5J3Z7jSiQgw==
Compression.LZMA
kBitModelTotal
UInt32
#=q9Faq5VxEeRCgWA$Fv2CQA2jL$TcgdmVDlxlkstaRIog=
_Lambda$__9
!z4V0?U
MoveNext
Monitor
MySettings
#=q4$epyV0nlPzbnzRsMLPu97OYyrwjvDZ_OdEY8a656zU=
ValueType
Round
#=qIkSGT4qbCtcFRC7mMAAYkk84I1ZFkrYif3TMjD7ZPA6BOJlmCB8mpgUoVIHLwXka
System.Windows.Forms
ResolveEventArgs
ApplicationSettingsBase
#=qczls24TWLmlr2uaF9Rt2wA==
#=q29P5wT0RtOGJtLYYrVuOyQJYKodBvb_Va_4aXFXskAY=
NextRecord
JpWt*i*
Delegate
inSize
&&*}R
~B)^VO$
#=qm6zrH0rCSTx0zj182i8NBQ==
#=qZov5VwasIgllCy$iPN3DNw==
#=q7rWPYdgZxY0QTmTQR2fgkA==
user32.dll
iiyAt
b`*&+
}uS(zOQ
Assembly
#=qoKX_5NDx$uDAqG3r2Qdnaw==
GetThreadContext
#=qWToN2VSuMj$dJ8jwWVWiOw==
m_Choice2
UInt64
#=qxBa98CfPwuO0cLdTtVr3UZ7sHS6clgMQTcxeOGfq1S8n3UU_wXWw5dLM3IIxjN4D
12.0.0.0
#=qCourOFK6$KSegqeVRJ$n6Q==
Stream
T{K+d
NanoCore.ClientPlugin
#=q1WnXnf5Kn3oZdelfZ9atXg==
IClientDataHost
System.Reflection
get_BuilderSettings
_Lambda$__3
#=qufNwmAe7HQFIL14z99jHZDphg_1JvBp18S4ZB_HYCGk=
#=qG3u5K_RNSi5MmPk5qGfBKA==
#=qJOuiYi3iPZ3uVqoeKGMDrA==
ObjectFlowControl
#=qyEh7zio04YwNJbA3DRAL$w==
LT/a%u:
#=qbnS0OHMEgVPpx0TYW6jRag==
#=q8gDcBSsTQnbm3KE02hl7OA==
&&+Y}C
ISetCoderProperties
lParam
get_Name
SetPosBitsProperties
#=qBC03ja1g7$0w$eh2jRxaQNyDuxwUf4rZ75JN5N$kch8=
m_IsRep0LongDecoders
#=qtR8C6BNO$zdw_O10qjEjJt6JYi$bG2X1MWCDgpSA5qI=
Create
RuntimeTypeHandle
#=qLIG6VCTYxG1r34UESHGfO1ahvp9wHKfNE5aXgNksRVfBCY8bC6m10KiOo8KoXWAp
SeekOrigin
WrapNonExceptionThrows
bufferSize
get_TotalMinutes
#=qX35LozMOnZ3iEnR45ploWg==
HB:9/
DebuggerStepThroughAttribute
#=qcxNEmoaEf7Zh660RKW2dVQ==
#=qlvbeh6Dpr600MHBhM5FM6w==
EditorBrowsableState
#=qvSf5MwzG8n0SP5HzSY2_SA==
MA1O@
Int64
#=qatkJDnqMuS21CiNfog8F1qvM$VR71IK88NPDErK$cCY=
DestroyHandle
processId
Microsoft.VisualBasic.MyServices.Internal
#=qOGgnVTQ4xQCpfQDFVMvxDA==
aqhgV"
System.CodeDom.Compiler
System.Globalization
#=q9xDVujoZXiSgiL5U3Ms$Ldw_aEku$YcJRTx_3Mn7bUU=
VirtualAllocEx
#=qWOxGbcFRgf83Lr2nIvLxMhjnXfcYgGMTYJ7wrFJ4zpU=
get_ClientSettings
removeHandle
IntPtr
Double
#=quC7pb_XLQy2zPy$IHptd3gII7RxTbEmajVwI2QM2uDw=
#=qWAKUq9CUhmQBqBddF0P5WA==
#=qTVgha2c6EXq6oFogWKkJ$Q==
kStartPosModelIndex
IEnumerator
#=qjfIm1PIGR6WF2vcep8flyA==
_streamPos
Timer
#=qULF9QYOA4w2wDOoaAUQxV_zVQ8z$1R9w4sOnYqGnVZM=
Assembly Version
5Hyt)
#=qYZPuHqYnW$Jt8HuO33EgZYVEW2BLvhWvH6HqYkna1vM=
SendToServer
#=qHs51RKHMwfV41Mwh991L9yGwclD4RD8GoEI6P7yiHCQ=
SurveillanceExClientPlugin
KeyValuePair`2
#=qGlAaJxWXqCLviqDPasqF_1pEmmsHiVpOlHTQMftJNnM=
LenDecoder
#=qEwOBNFc9PVbJeL2o1SylSw==
Clear
#=q9d$pwaibXpl6EYmDW3LQyA==
m_Choice
#=qYczMyu4Q4ODpJ8_8yaxacw==
#=qyM8Yaoy9PKeQBcWclAVdrdWwWFIiXRRFb3afnMytprg=
m_MidCoder
WndProc
m_LowCoder
#=q0sFoUO5oar9qfDXWiIsjK8QBKipcWLJeZEeGAn3jKTY=
#=qoSjdpFhHgKw4ZkLE7HcUsA==
#=q_0ryHl9Z3pX6cTMt2fN0mgWhGzumbPaq9sRkBsl9r8EcjEOO0EVuY7FHYqQczjcm
IDATx
ntdll.dll
InternalName
EKL={
#=qXt41o0joH7oimdyJLyAEgb0$SgCvft18unPo3p7oDZ4=
#=qErALxYBxbcQx7$wpILZasQ==
GetExecutingAssembly
#=qWLNfsz9$tdJq5W5eUmCK3g==
Decode
Usage
kNumLitPosStatesBitsEncodingMax
#=qniVQeVyK34aPdgdXRnruaUQrXw0DTGkycv51vldfdvs=
_Lambda$__5
State
LiteralDecoder
ffefeeffe(q
mFLGG
MulticastDelegate
ClientPlugin
title
ComVisibleAttribute
LayoutKind
w,D.F 
\eRsH~&()
SQnYq
m_PosDecoders
EditorBrowsableAttribute
ReleaseStream
#=q6edtgiaCLUi7SoZ61U8urA==
_buffer
b`h*&+
#=qWOXTw_dLcjSXp$GN$pp5S1OPD7ZPz6$b2UbsKnONIhg=
GetText
solid
kNumLowLenBits
ICoder
DebuggerHiddenAttribute
ConnectionStateChanged
#=q8DCG8ySziWq86pz6M2Nm1Q==
#=qqUu6BRNscFAOfPTSzNJT1w==
#=qqq0n2rS1_M7ChN0lsGOjWw==
Window
get_TotalSeconds
&&*}5
#=qWtdqJYyYX8j6Z3apMuSRyQY12glbN$YmR9vdImzaIBw=
#=qG4$BfgVthjPwAu6cOeCEdA==
#=qOkM4_GL6iJytfvW8X1Vv0JdORs6j60y4sZk64fltjPs=
scanCode
#=qH37BJRRVPDZdt_HquyjQCGhaKFyNxp4uozln_BmzbFU=
ffefefeeffe
NumPasses
#=qaiFlnK6gufs9y1Oc4GuIMH251NlpwpnIGxTExPappTg=
Di'8f#
#=qjGf0Fo7ouDsRFksxehS1LLJzkD032TzIZQYMCq6zXPU=
kNumLenSymbols
#=qxNhCtLFT$uaHlRVrjNRfgQ==
#=qNOZ9w$DcFPd9SOpnZgS0RQ==
#=q9d0qL0bhhHsukDDuSglJm4WCBbjzHE0Bbid8Pr0XWh0=
MyTemplate
ArgumentOutOfRangeException
#=qV79mcqV34cKRcC07zX3EAg==
#=qgf2HF0U91g7Z5r3b_DTKKen95XyoRNKhJT0tZAdh0qE=
GetName
ClearProjectError
#=qBXqRL3Dv9U6yo_YJzVNueLigr3DbGSqr8_$nTSKtZ2s=
StackTrace
outSize
#=qPvYrleetOagqdcI9DE5KLx58LE24Y4CctC7$504MDk4=
#=qkt_liXOxhoHW1IdbL3VH8w==
#=qh9ajRGk2_65Q3Jd9wgongg==
['c*a
ClientSettingChanged
ThreadPool
threadId
ffefeeffeXa
#=qt3y2qSp0dv0vJPWjVw3zrUaK5pF8MkrfIOVi6473g$4=
RuntimeEnvironment
#=qr01FMUeoBCjkEqS0Tv6eBA==
ViewLogs
#=qc7jxesQacILbzixeNG7FgVPmFPAfjvpvdnuAU2yopkw=
#=qTDB6veXFhv3LJZPZLsXjAA==
'b(?P
StartsWith
System.IO
lS]@\
#=qa5bWbwMs799DVwO6Xd1rN3bJzFHKr4_gzkvb0x1jS4Fq$eNnm1UXtsC$gMpO485Q
#=qynZM5QfSMAmkvPfv_N252H9sirBUdDlLNsjX68Ie$iw=
-b&(f
[@'s8
StringBuilder
get_FullName
get_LastWriteTime
#=qnsLPayfk95jd6qjcEgWvsg==
#=qkJLhjNBL62x0Maq56Qyxvg==
Regex
GetFiles
Invoke
qL88<
nC="kO
#=qISpXJwqB9eU0aC9WFSg0Ng==
ReadInt32
ep&L2lT
@o$?H{
Remove
#=qsbY2J0lq2mDKdHpdoqFbhILxgHjBTI3htQgLDLlw4tw=
DateTimeKind
#=qy62TL0vimm$9c8r9cknBlg==
#=q7yeIS$Nxs6vRTxwkrC3NI7XBjBtanYpAY7F6lpVJMNs=
get_WParam
o3K=M
#=q9MSpJ0C9gy1tNtiHMT0xuOhK0eh3XkuUCIUdV0CL_Vc=
feffeeffefe
#=qDryb$Lj81YuexT_kT546UteX3jn1a5MWE58jzYBzqzA=
kNumAlignBits
m_IsMatchDecoders
vD|Jy
get_DeclaringType
#=q5LicbGLyNvYH7rAg86LLew==
#=qd8PFK0o9ZmfLuRvVs5TueBqBiNJMAYg6mfAY7qPvztw=
#=qILpIzHL2R4oZr_xuJ35Ks0Qv8efeDFq9$IysEjhmwb8=
#=qXwgB3iQRF3f74mr47OcIXA==
Format
#=qbaeFrXHqfUmKDWhl$m1oW1YJ6aPS$T3nwSKQdfykURs=
IClientUIHost
K.^^0d
Pd5iG
#>6Mzf
#=qbt21$tSdKp3amqFUQffN4g==
#=qmAOt84hQOfmqpLQTy_m9Gw==
MakeCode
get_Chars
w,uNm
#=qJLhNEnVZH5g1ZqJMJz$RzYGuUiBvJ7jvAqqxd1jmI9w=
SetThreadContext
fefeffefefe
#=qoOW0Qs7uLOIFAgZnF5WYag==
IClientNetworkHost
get_TickCount
KeyboardType
AssemblyCompanyAttribute
ResourceManager
_Lambda$__4
RawInputHeader
fefeffeefY
#=qfGRrfgRh9ShPgCgw1WBGlA==
UsagePage
#=q8kI8WUAO3EIwh$dDbLO4hBJVnsPN1Kf$8oLzDKgLItY=
GetEnumerator
m_PosStateMask
GetPublicKeyToken
defaultInstance
Dispose__Instance__
kNumPosStatesBitsMax
y/Tbb3
#=quNCOqLbHCNvjlAK7Bf3cDbhyHY_4LIdtbLCWmQ_qI5Y=
#=qcoWy4j$hfMjQGUjg7sMLcA==
#=qqAcSxqYR8KvfnXGv78vSLpHnokxYmR2kdhuhJW9_ry8=
#=qamafmS78hoJBlTvbicCkog==
#=qFFTan1UEcEUWGr2OOrOYjJGYp4rAAjZjzwTWUS0rVrw=
#=qph0dM8ScBo399Qc8dFf7SlZHZ5$T9MiuQgUb1gNxX6w=
#=qafWoeWm0EJ5rJHlvMm4iDkNn$EYGciEBRwJDLt7$nbQ=
#=qVJN_4jIyRrZ5yAy$Rn5RLinbGCq7szN2kXQqx5f3mq0=
ReadAllText
tuerl
ToArray
#=qbXdnCoLjynzf7IU_sWtIxQ==
get_CurrentDomain
FileAccess
#=qnkToepswNMS8gbnXEvMwzMYEEKNiPU5uDsX9dRhrWNQ=
m_Coders
get_Default
get_IsAbsoluteUri
LitPosBits
4#Q22
Empty
#=q6PBQzT2s0OXAPNX0HyA9nA==
get_MetadataToken
GetCallingAssembly
ReadPacket
#=qB_ief8yBaOrLHFWAY1qqaBDkGFE5diWAXZyimYvjzkY=
MapVirtualKeyEx
GetWindowText
BU2l$
#=qrrF6$_dvEtwtuQKnJBulHA==
#=q$SxR33u2B2QKyvTy6OUx3VUEnsU1BBIwrFbNm_dTmvc=
#=qQ0_U51a7sN5obfKsBtIlCA==
Int16
WaitCallback
LogToServer
#=qjw6ERKjxRJyhmlKKhTbkm3qZjjnDTqlES7REqNxqUOg=
get_Item
UInt16
#=qyGd52xKGg1UK99QpoNpdz9dSKN3tgIE6mEvh5axkN4DdSC0KoH7ndNvZZfDKjIAY
Mz&?8
ffeeffefeef
#=qy7iFFOCv78505n$_BrNPxRrFO5LEklS7ID6JkyE1sJ0=
wParam
maxLength
fefefeffe_-
get_Now
kernel32.dll
kEndPosModelIndex
#=qBUViwm1Wzov4U2EcqfWHEYm9yRhCdBkuxxjXALmkpzo=
#=qVSN1Lpi9mDmMGgmaAHvebQ==
get_Size
get_Variables
pI,4711
AssemblyTitleAttribute
#=qhXmGn2CELzUWoG0JCIbI4w==
#=qUto48Jl62GtgsCwHVL7Hgg==
Delete
Dictionary`2
#=q0XvCVIzf4UbwwbesII8AcyVgrM$fv_y6$FjnV7yW05Q=
IJxFC
-H%a=
get_BaseStream
#=qkyQiUlPlMKotWknoHqlomhKQpOjgRch0EcZ31P06MMc=
Dispose
4UH@9JE
B.rsrc
matchByte
TimerCallback
fefeffeeffe
MYkv[
#=qjTb0yKP0PvX_$sNLZrWc3SrhKi2B8TapGYB0qQ_d2ic=
NumFastBytes
#=q2ps$7ibfUjB8cShObHpkOw==
GetRawInputData
GeneratedCodeAttribute
#=qGbx9gQEhahxfxQgVR1WKYA==
kNumLitContextBitsMax
#=q1E8O4JTltplIX9hIlv2U_fvNRBdciVrREW4_qwWnAG8=
#=qrGwSUb5xTQIFyn575GZnPg==
#=qeRlDn71ka07USXFfJJUR2tjdNrp$C8rMYT7zAiVKaFY=
#=qho_BPlTxogZ6unjnM3aUEA==
qKsP&
#=qjnoznhVPIrOVW7AdFC20oQRiO8PwCQlyil8yL1Vu$kM=
KeyboardLogging
u[AF7NM
#=qO6x5ewjr4GGgRnaDV90ZlA==
DnsGetCacheDataTable
GetByte
#=qXaCFAlCJk0zL$1TRW78z2TZB6TE_kmNEDibtTaGwApE=
op_Subtraction
de!#%d
#=qMUhpaeAQYPZGtrQ6m5D8$T6a5UohdjKBly_QCCrNbic=
#=qYf8VVQYyVIBbHqbd$XL$cA==
Decompress
"zD_2
qHF>7K
#=qyJGUlE1_rLpfgGH0HVA4uA==
#=qzk3NeGOwuEBmY8yfhx9RGeCtT3ElsluQSWlGax0FSTg=
layout
#=q463flxIG4yBvVk$L2nY$rA==
#=qkArXx5faq_yiVVDZVy8zPg==
#=qh0PZD5Xzw4GYzrxwVJgNXdBLljub_GVfhqf6qMZuuOM=
#=q_kf6X0FJYJ49vkYU3o4hF4ABiUFCz_wIANIlPo9Wtqg=
#=qZDfXudm0$xsDWCHGELpd5JJQykxvZE2iCT02xHzYWZs=
BinaryWriter
#=qm8f9k1aXVtORA4naJCkxW5anSegBcHo_NtygLkyg$zI=
#=q4w8mBBo92N6vPz_rEq4NCg==
feffefeefef
#=qGqoN6NYMG6qhAx_trPC_ossyh4syAKivlJ4ofRtY1Bc=
ICodeProgress
String
#=qU5Uv$YfWv4YU_tU0WnuWRQ==
#=qm6w5$AGhTmDiKS6fDc_8lQ==
kTopValue
Append
numBitLevels
#=qwRLyHsQEgr3hVfF8nnZ7KA==
#=qia6Q_CLWGyNlq5m_x$gzsg==
get_Host
Yaa*&+
Range
#=qUByjqwT1e89jxnX_MQXMWbKNidprz_QzC__AUDqY7Uc=
#=qt8g2vpq5xuzYmHVNoc4aRQ==
#=q5B2i_ZFG$fkyLcTMcIhd9w==
QueueUserWorkItem
GetObjectValue
#=qhketRNLRWT8CVAmblf0IwOvCoFFzVqRP3cb74HV_KhA=
ChangeExtension
#=qmhUzkJg2ExNnbX_5KEDmiQ==
#=q4XS3XWwqg0cYnVCF1ZC2NbwZSfEBY5biSs$73sq9_qY=
kNumFullDistances
#=q_EpKD6Wcn8v1q27F7Au3V2_q9nsNwbRHldZOuKkGS9M=
GetRandomFileName
&&*}8
#=q5g$eC0ljHvRuQ5Sjg8qhXD5ifXDj39Cm6o39Y5BwaAc=
#=qLpgJeYVNxM5InVOGfQCJgQGoJXhVBZL78RSpTucm8vM=
<generated method>
#=qR6XN5QQYUNdzcxSpOeojXw==
#=qRkVCQkwYopuW3FhsOB8R7Q==
distance
X!RF,
V\CDo
#=q79jR0bJe_Ob_U2hce_Wy2KY4qSDCR$4x41oNq35cm3Y=
#=qay1xmyx9Oqat62Q8L3hW8g==
ContainsKey
GetState
#=qGvdgcYjJPldjZjV15YO1AQ==
ContainsText
#=qKkT5k_oMJ5jlOboYqGKerA==
System.Diagnostics
Marshal
IClientNameObjectCollection
SetProgress
kNumStates
#=qZDaMo8z4aSDSIJR8FYpOIWr2QgacQNuQzvtxGLdfriI=
#=qE$fiW9I$YR8wzvprmP6GMg==
IEnumerable`1
ReadProcessMemory
numPosBits
#=qZVAY6xaoFDtd779Ohye_i7puUwiqn0vUdRn2mygGXjk=
.ctor
SetProjectError
"!&%'%8797:7;7
#=q6cFrjMmsBzZaHdwkK64MvIJCVps43s79Zoc5jAQQ3B0=
UpdateRep
LogClientException
rawInput
DebuggerNonUserCodeAttribute
#=qTmPD_08CamgMljHM9Dk1O8BoSybsXHEUiOmZnlrjslQ=
#=qncI$$cNGF5Pots4RoA2KEQ==
InternetBrowser
StringReader
AddDays
ReferenceEquals
GroupCollection
 :hu'a
CLSCompliantAttribute
virtualKey
get_Groups
Reserved
1(:>/
#=q3i4wls3IHcjOio705aCSHg==
DataLength
AsyncCallback
#=qiw21QRsOuXRsr0EoFXe6yg==
<Module>
StructLayoutAttribute
UriKind
#=qbb8M4CbvbU9dtw7rljxsOgowhtC_M0HHHYDQvfbewMA=
!:6=?J
SizeOf
Conversions
numTotalBits
Synchronized
%B!eu
StackFrame
RegisterRawInputDevices
FileVersion
Decoder2
ClientInvokeDelegate
get_Key
CreateHandle
m_IsRepG0Decoders
BitTreeDecoder
CheckForSyncLockOnValueType
IClientNetwork
#=q4Nr8w$2KKfb5UztnulwYRg==
kDicLogSizeMin
PipeCreated
Intern
`.rsrc
AssemblyFileVersionAttribute
System.Threading
ffefeeffea
UpdateMatch
Encoding
IsNullOrEmpty
#=qkmhFErk5YMKo51GKKlhE9g==
StringFileInfo
m_NumPrevBits
LitContextBits
Write
GetRecords
#=qrs1kHm2Vk1lgdS_uku1L9g==
#=qMJgjQNh1HDTnQhoJXfa0WA==
ReverseDecode
AssemblyProductAttribute
#=qPRgfS7lOTcyHKSlbB8xgkA==
Microsoft.VisualBasic
AppDomain
#=qT1akwluU_CPHm0nhoKf6Rw==
#=qfisk2$Joqzyumzd6fh2dOQ==
get_Length
#=qvfRcdVwrMsCxkiqADFMhLstfJFNrXezVOSkR7LYl6_c=
.(\iF
#=qhY91O0Ehtf92oxnuh2FVz3zwgJyjBwDokEEXjvLvO6Q=
feffefefefehah
Win32
z0v{1*
#=qvvwoAYTFwjESTUFg0fNF7SLde7qYhx8qSoPZyr3HMfc=
Contains
BinaryReader
ToInt16
L269a
VariableChanged
,?eg!
#=qQqcsGt5b2PDsslTZJ$dt_mKNdeXa0POgZBx5R0LjlPM=
#=qw9VSFm68B5Ljl$xHUUa_Hw==
get_Assembly
FileInfo
#=qbbS2gH77jp8FUp6F13JpY6MGDSb9v3gnCOBNgbF7cVA=
GetHashCode
kAlignTableSize
m_OutWindow
m_DictionarySizeCheck
#=qpQr3Y9fGkwa$qRqPoCizPZ9VR0dem4a4NMuT_i6c3sQ=
#=qUZFlYoOocheA6eC84I2B1Q==
MemoryStream
3System.Resources.Tools.StronglyTypedResourceBuilder
#=q7_TpaeFTuHRPDnfbdnzhMw==
IsControl
SettingsBase
Change
#=qXH69A$_8u_BEH$6TuzFn6w==
m_RepLenDecoder
#=q5kTowhAuuSOCKCKI6_gw5Q==
Activator
#=qrrUz6hC0NPP229srrATMtK3maxNKi2E6oaUoFmACl9I=
DnsCommand
wisxa
GetKeyboardState
Flags
#=qVmsOOzNjkaQuSyIKz50umg==
OriginalFilename
BitDecoder
#=qeZCoccI3yJdWJ3ayrHW$WA==
kNumLenToPosStatesBits
UpdateShortRep
#=q7xw_62wJAROEdfmrcOfU9A==
#=qGPyC5Xsppd3A9GM1nbF6UA==
#=qz_b1L2sFeS3InI52Fcb$xw==
WriteProcessMemory
kNumBitModelTotalBits
#=qhe3YBArn2XZllRv5mtI$IA==
-7& G
ToUnicodeEx
-=&~L
System.Runtime.InteropServices
w`TeE
#=qUUTENRjCs2Tp8v$UkD2pyj$_WERyijyYrwjs9ap51Bc=
#=qYnC$MeSjL22yOmZmIH9O5Q==
flags
add_AssemblyResolve
SetCoderProperties
Rz4Zy
Decoder
#=qA6W6GWeKbpqYNXHHn0NOqQ==
GetManifestResourceStream
VS_VERSION_INFO
#=qxPKYwApYHsDUAngYujXcMg==
feffeefeffe 
ISetDecoderProperties
Combine
Create__Instance__
ffeeffefehah
Computer
#=qHULrE3ucj3pP3z4Q8AHNQ6f7gkmXn_0Fohqp275LJtI=
m_LenDecoder
ApplicationBase
#=qL4z9que7yasXNRV3gE808Q==
EndMarker
#=qbxOnQHmVH_9KW47BBLVbiw==
ReadString
TmYM>K
E'Y=u
#=qps$_CRy8QN3tD8_cpxbl5Q==
#=qOB8cEznqDkvIxRcccHlIsv7sC6k2hObkCZSKdkJ_Zsk=
#=qv$8E8sC6lJIPtd2$JZCylw==
startIndex
List`1
Object
kNumHighLenBits
AssemblyCopyrightAttribute
DefRawInputProc
1.0.1.7
w,X8WD
#=q4JDS1p4qILBfxV6iYzPvew==
#=qG0TXdiUc5RapAeqxDJArye7UrdqGI4sA16AWYfcrCf0=
Lzma#.dll
fefefeffe
StringSplitOptions
#=qMaYcsaYwkZMTqb1yZLawvsT_RxwqTAeocZdt0axWTAI=
#=qtnUi7yodyLqv1sucEHesww==
#=qj4ZL7Xa5Jh3aXGsDJ8nwq9Ol$7j95Q2WIH6RXdknYOM=
get_Value
Compression.LZ
PosStateBits
#=qCqIROk23BL$5SZnsNcMGzw==
get_ProcessName
NanoCore.ClientPluginHost
m_PosAlignDecoder
#=qgvFUiZFJ0DnA4jPHJSI0$g==
Header
afefefeffe
SetClipboardViewer
.cctor
NativeWindow
#=qp0rjqvRPFB117u1oIM8eyg==
#=qNwsNe80RUFvWuBVxKYH7CdkcJCEYrUuUzsDzmfG3Y0f_hVViDx0xK8xqdS9y79EZ
Enter
#=qMb7ah3f2LZnw5uZZ2MwFiVVbfzLytVjDFOGKjr3$eXM=
#=q7ZvQqMWc8EiVYIemfr8kugujhdIVidtkVJrdNaMKkMY=
#=qnKfe8RVyBZnzTVIYVRXs3lz7$G7e6QuPxi3Jx3scwJ4=
PipeClosed
#=q8PUUaAp4ut016MmvuKrU1A==
Message
#=qcYLUomKQ3VHSKmjKloHutA==
Array
#=qdLYSf0D2H54oOFJ36kM4Rg==
Microsoft.VisualBasic.ApplicationServices

PE Information

Image Base

0x00400000

Entry Point

0x000173f2

Min OS

4.0

Compile Time

2015-02-22 00:49:49

Import Hash

dae02f32a21e03ce65412f6e56942daa

Icon Hash

f66c7c86e9ab59ef3f289acd613a3738

Translation	0x0000 0x04b0
FileDescription
FileVersion	1.0.1.7
InternalName	SurveillanceExClientPlugin.dll
LegalCopyright
OriginalFilename	SurveillanceExClientPlugin.dll
ProductVersion	1.0.1.7
Assembly Version	1.0.1.7

Name	RAW Addr	Virt Addr	Virt Size	Raw Size	Characteristics	Entropy
.text	0x00000200	0x00002000	0x000153f8	0x00015400	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.94
.reloc	0x00015600	0x00018000	0x0000000c	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	0.10
.rsrc	0x00015800	0x0001a000	0x00002f88	0x00003000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	3.34

Name	Offset	Size	Language	Entropy	Type
RT_ICON	0x0001a208	0x000002e8	LANG_NEUTRAL	1.71	None
RT_ICON	0x0001a4f0	0x00000128	LANG_NEUTRAL	2.08	None
RT_ICON	0x0001a618	0x000008a8	LANG_NEUTRAL	1.72	None
RT_ICON	0x0001aec0	0x00000568	LANG_NEUTRAL	1.05	None
RT_ICON	0x0001b428	0x00000353	LANG_NEUTRAL	4.05	None
RT_ICON	0x0001b77c	0x000010a8	LANG_NEUTRAL	2.72	None
RT_ICON	0x0001c824	0x00000468	LANG_NEUTRAL	2.76	None
RT_GROUP_ICON	0x0001cc8c	0x00000068	LANG_NEUTRAL	2.69	None
RT_VERSION	0x0001ccf4	0x00000294	LANG_NEUTRAL	3.30	None

Address	Name
0x402000	_CorDllMain

Processing 150.76s

95.229s CAPE
27.481s NetworkAnalysis
26.4s Suricata
1.637s AnalysisInfo
0.009s BehaviorAnalysis
0.002s Debug

Signatures 0.80s

0.132s hides_recycle_bin_icon
0.087s carberp_mutex
0.07s owa_web_shell_files
0.065s cypherit_mutexes
0.05s bypass_firewall
0.038s disables_appv_virtualization
0.033s browser_helper_object
0.031s office_code_page
0.028s disables_cpl_disable
0.024s disables_startmenu_search
0.023s removes_pinned_programs
0.016s overwrites_admin_password
0.015s log4shell
0.012s network_dns_url_shortener
0.009s network_dyndns
0.009s warzonerat_regkeys
0.008s antiav_detectreg
0.008s infostealer_ftp
0.008s suspicious_tld
0.007s antiav_detectfile
0.007s ransomware_files
0.006s banker_zeus_p2p
0.006s network_cnc_http
0.006s infostealer_bitcoin
0.005s infostealer_im
0.005s masquerade_process_name
0.005s ransomware_extensions_known
0.004s antianalysis_detectfile
0.004s infostealer_mail
0.004s poullight_files
0.004s territorial_disputes_sigs
0.003s network_torgateway
0.002s network_http
0.002s network_open_proxy
0.002s antianalysis_detectreg
0.002s antivm_vbox_files
0.002s disables_backups
0.002s disables_browser_warn
0.002s disables_power_options
0.002s azorult_mutexes
0.002s echelon_files
0.002s qulab_files
0.002s network_dns_opennic
0.002s network_dns_paste_site
0.002s network_dns_temp_file_storage
0.001s banker_zeus_url
0.001s bot_drive
0.001s bot_drive2
0.001s family_proxyback
0.001s network_ip_exe
0.001s antidebug_devices
0.001s antivm_generic_diskreg
0.001s antivm_parallels_keys
0.001s antivm_vbox_devices
0.001s antivm_vbox_keys
0.001s antivm_vmware_files
0.001s antivm_vmware_keys
0.001s ketrican_regkeys
0.001s geodo_banking_trojan
0.001s browser_security
0.001s uac_bypass_cmstpcom
0.001s clears_logs
0.001s file_credential_store_access
0.001s darkcomet_regkeys
0.001s disables_context_menus
0.001s disables_smartscreen
0.001s disables_system_restore
0.001s disables_windows_defender
0.001s disables_windows_defender_logging
0.001s removes_windows_defender_contextmenu
0.001s apocalypse_stealer_file_behavior
0.001s cryptbot_files
0.001s modify_oem_information
0.001s modify_uac_prompt
0.001s network_dns_blockchain
0.001s network_dns_doh_tls
0.001s revil_mutexes
0.001s modirat_behavior
0.001s xpertrat_mutexes
0.001s recon_fingerprint
0.001s removes_startmenu_defaults
0.001s tampers_etw
0.001s targeted_flame
0.001s lokibot_mutexes
0.001s ursnif_behavior

Reporting 0.00s

0.001s JsonDump

Signatures

Network activity detected but not expressed in monitor API logs

ip: 46.149.110.67

ip: 72.154.7.16

ip: 72.154.7.108

ip: 72.154.7.100

ip: 72.154.7.105

ip: 72.154.7.102

ip: 72.154.7.98

ip: 72.154.7.101

ip: 72.154.7.107

ip: 72.154.7.109

ip: 13.107.6.156

ip: 84.47.178.41

ip: 20.165.94.54

ip: 150.171.27.11

ip: 209.85.233.94

ip: 20.42.65.93

ip: 84.47.178.56

ip: 84.47.178.49

ip: 52.123.242.97

ip: 4.207.247.139

ip: 20.189.173.2

domain: i.pki.goog

Performs some HTTP requests

url: http://i.pki.goog/gsr1.crt

url: http://i.pki.goog/r4.crt

url: http://i.pki.goog/we2.crt

url: http://i.pki.goog/gsr4.crt

The binary likely contains encrypted or compressed data

section: {'name': '.text', 'raw_address': '0x00000200', 'virtual_address': '0x00002000', 'virtual_size': '0x000153f8', 'size_of_data': '0x00015400', 'characteristics': 'IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x60000020', 'entropy': '6.94'}

Binary file triggered multiple YARA rules

Binary triggered YARA rule: DITEKSHEN_MALWARE_Win_Nanocore

Binary triggered YARA rule: Windows_Trojan_Nanocore_d8c4e3c5

Binary triggered YARA rule: Nanocore_RAT_Gen_2

Binary triggered YARA rule: NETDLLMicrosoft

Binary triggered YARA rule: IsPE32

Binary triggered YARA rule: IsNET_DLL

Binary triggered YARA rule: IsDLL

Binary triggered YARA rule: IsConsole

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 5804 triggered the Yara rule 'DITEKSHEN_MALWARE_Win_Nanocore' with data '['NanoCore.ClientPlugin', 'NanoCore.ClientPluginHost', 'IClientData', 'IClientNetwork', 'IClientDataHost', 'IClientLoggingHost', 'IClientNetworkHost', 'IClientUIHost', 'IClientNameObjectCollection', 'IClientReadOnlyNameObjectCollection', 'ClientPlugin', 'get_ClientSettings']'

Hit: PID 5804 triggered the Yara rule 'Windows_Trojan_Nanocore_d8c4e3c5' with data '['NanoCore.ClientPluginHost', 'NanoCore.ClientPlugin', 'get_BuilderSettings', 'LogClientException', 'IClientLoggingHost']'

Hit: PID 5804 triggered the Yara rule 'Nanocore_RAT_Gen_2' with data '['NanoCore.ClientPluginHost', 'IClientNetworkHost']'

Hit: PID 5804 triggered the Yara rule 'NETDLLMicrosoft' with data '['{ 00 00 00 00 00 00 00 00 5F 43 6F 72 44 6C 6C 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C 00 00 00 00 00 FF 25 }']'

Hit: PID 5804 triggered the Yara rule 'IsPE32' with data '[]'

Hit: PID 5804 triggered the Yara rule 'IsNET_DLL' with data '[]'

Hit: PID 5804 triggered the Yara rule 'IsDLL' with data '[]'

Hit: PID 5804 triggered the Yara rule 'IsConsole' with data '[]'

Screenshots

Hosts

Direct	IP	Country Name
Y	46.149.110.67 [VT]	unknown
Y	72.154.7.16 [VT]	unknown
Y	72.154.7.108 [VT]	unknown
Y	72.154.7.100 [VT]	unknown
Y	72.154.7.105 [VT]	unknown
Y	72.154.7.102 [VT]	unknown
Y	72.154.7.98 [VT]	unknown
Y	72.154.7.101 [VT]	unknown
Y	72.154.7.107 [VT]	unknown
Y	72.154.7.109 [VT]	unknown
Y	13.107.6.156 [VT]	unknown
Y	84.47.178.41 [VT]	unknown
Y	20.165.94.54 [VT]	unknown
Y	150.171.27.11 [VT]	unknown
N	209.85.233.94 [VT]	unknown
Y	20.42.65.93 [VT]	unknown
Y	84.47.178.56 [VT]	unknown
Y	84.47.178.49 [VT]	unknown
Y	52.123.242.97 [VT]	unknown
Y	4.207.247.139 [VT]	unknown
Y	20.189.173.2 [VT]	unknown

DNS

Name	Response	Post-Analysis Lookup
i.pki.goog [VT]	CNAME pki-goog.l.google.com [VT] A 209.85.233.94 [VT]	209.85.233.94 [VT]

Summary

Accessed Files Registry Keys Read Registry Keys

C:\Users\cape\AppData\Local\Temp\01e3b18bd63981decb384f55.dll.manifest
C:\Users\cape\AppData\Local\Temp\01e3b18bd63981decb384f55.dll
C:\Users\cape\AppData\Local\Temp\01e3b18bd63981decb384f55.dll.123.Manifest
C:\Users\cape\AppData\Local\Temp\01e3b18bd63981decb384f55.dll.124.Manifest
C:\Users\cape\AppData\Local\Temp\01e3b18bd63981decb384f55.dll.2.Manifest
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\Windows\System32\ru-RU\rundll32.exe.mui

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\ru-RU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\LanguageOverlay\OverlayPackages\ru-RU\Latest

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\LanguageOverlay\OverlayPackages\ru-RU\Latest

No results found.

No behavioral analysis data available.

Sorry! No strace.

Sorry! No tracee.

Hosts (0)
DNS (0)

Hosts

No hosts contacted.

TCP Connections

No TCP connections recorded.

UDP Connections

No UDP connections recorded.

DNS Requests

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP Traffic

No SMTP traffic performed.

IRC Traffic

No IRC requests performed.

ICMP Traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

No dropped files found.

Sorry! No process dumps.

Analysis Details

Analysis Log

Process Log

Pre-Script Log

During-Script Log

Machine Information

File Details

File Information

Strings

PE Information

Version Info

Sections

Resources

Imports

mscoree

Statistics 151.56s

Signatures

Screenshots

Hosts

DNS

Summary

Hosts

TCP Connections

UDP Connections

DNS Requests

HTTP Requests

SMTP Traffic

IRC Traffic

ICMP Traffic

CIF Results

Suricata Alerts

Suricata TLS

Suricata HTTP