Analysis Report · CAPE Sandbox

Detection(s):

Analysis Details

Category	Package	Started	Completed	Duration	Logs
FILE	exe	2026-04-25 09:54:33	2026-04-25 09:59:22	289s
Reports	JSON

Analysis Log

2026-03-05 20:34:38,257 [root] INFO: Date set to: 20260425T09:55:11, timeout set to: 200
2026-04-25 09:55:11,125 [root] DEBUG: Starting analyzer from: C:\r4q0i2l_
2026-04-25 09:55:11,156 [root] DEBUG: Storing results at: C:\pFgSGb
2026-04-25 09:55:11,172 [root] DEBUG: Pipe server name: \\.\PIPE\iRkbqMIcVR
2026-04-25 09:55:11,187 [root] DEBUG: Python path: C:\Python310
2026-04-25 09:55:11,281 [root] INFO: analysis running as an admin
2026-04-25 09:55:11,297 [root] INFO: analysis package specified: "exe"
2026-04-25 09:55:11,297 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2026-04-25 09:55:11,359 [root] DEBUG: imported analysis package "exe"
2026-04-25 09:55:11,391 [root] DEBUG: initializing analysis package "exe"...
2026-04-25 09:55:11,391 [lib.common.common] INFO: wrapping
2026-04-25 09:55:11,391 [lib.core.compound] INFO: C:\Users\cape\AppData\Local\Temp already exists, skipping creation
2026-04-25 09:55:11,391 [root] DEBUG: New location of moved file: C:\Users\cape\AppData\Local\Temp\91d880890f6e481edcbe.exe
2026-04-25 09:55:11,391 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2026-04-25 09:55:11,391 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2026-04-25 09:55:11,391 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2026-04-25 09:55:11,391 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2026-04-25 09:55:11,469 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2026-04-25 09:55:11,547 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2026-04-25 09:55:11,562 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2026-04-25 09:55:11,578 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2026-04-25 09:55:11,687 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2026-04-25 09:55:11,891 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2026-04-25 09:55:11,953 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2026-04-25 09:55:12,875 [lib.api.screenshot] INFO: Please upgrade Pillow to >= 5.4.1 for best performance
2026-04-25 09:55:12,891 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2026-04-25 09:55:12,891 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2026-04-25 09:55:12,891 [root] DEBUG: Initialized auxiliary module "Browser"
2026-04-25 09:55:12,891 [root] DEBUG: attempting to configure 'Browser' from data
2026-04-25 09:55:12,906 [root] DEBUG: module Browser does not support data configuration, ignoring
2026-04-25 09:55:12,906 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2026-04-25 09:55:12,906 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2026-04-25 09:55:12,906 [root] DEBUG: Initialized auxiliary module "DigiSig"
2026-04-25 09:55:12,906 [root] DEBUG: attempting to configure 'DigiSig' from data
2026-04-25 09:55:12,906 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2026-04-25 09:55:12,922 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2026-04-25 09:55:12,922 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2026-04-25 09:55:39,172 [modules.auxiliary.digisig] DEBUG: File is not signed
2026-04-25 09:55:39,187 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2026-04-25 09:55:39,203 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2026-04-25 09:55:39,219 [root] DEBUG: Initialized auxiliary module "Disguise"
2026-04-25 09:55:39,219 [root] DEBUG: attempting to configure 'Disguise' from data
2026-04-25 09:55:39,219 [root] DEBUG: module Disguise does not support data configuration, ignoring
2026-04-25 09:55:39,219 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2026-04-25 09:55:39,344 [modules.auxiliary.disguise] INFO: Disguising GUID to 339d92a4-c255-4420-97b0-5631bd58867a
2026-04-25 09:55:39,359 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2026-04-25 09:55:39,375 [root] DEBUG: Initialized auxiliary module "Human"
2026-04-25 09:55:39,375 [root] DEBUG: attempting to configure 'Human' from data
2026-04-25 09:55:39,375 [root] DEBUG: module Human does not support data configuration, ignoring
2026-04-25 09:55:39,375 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2026-04-25 09:55:39,391 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2026-04-25 09:55:39,391 [root] DEBUG: Initialized auxiliary module "Screenshots"
2026-04-25 09:55:39,391 [root] DEBUG: attempting to configure 'Screenshots' from data
2026-04-25 09:55:39,391 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2026-04-25 09:55:39,391 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2026-04-25 09:55:39,437 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2026-04-25 09:55:39,500 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2026-04-25 09:55:39,500 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2026-04-25 09:55:39,516 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2026-04-25 09:55:39,516 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2026-04-25 09:55:39,516 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 644
2026-04-25 09:55:39,750 [lib.api.process] INFO: Monitor config for <Process 644 lsass.exe>: C:\r4q0i2l_\dll\644.ini
2026-04-25 09:55:39,766 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2026-04-25 09:55:39,859 [lib.api.process] INFO: 64-bit DLL to inject is C:\r4q0i2l_\dll\agsEkyC.dll, loader C:\r4q0i2l_\bin\HLnLkMTh.exe
2026-04-25 09:55:40,047 [root] DEBUG: Loader: Injecting process 644 with C:\r4q0i2l_\dll\agsEkyC.dll.
2026-04-25 09:55:40,922 [root] DEBUG: 644: Python path set to 'C:\Python310'.
2026-04-25 09:55:40,937 [root] DEBUG: 644: Disabling sleep skipping.
2026-04-25 09:55:40,937 [root] DEBUG: 644: TLS secret dump mode enabled.
2026-04-25 09:55:41,187 [root] DEBUG: 644: RtlInsertInvertedFunctionTable 0x00007FFEFE86090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEFE9BD500
2026-04-25 09:55:41,203 [root] DEBUG: 644: Monitor initialised: 64-bit capemon loaded in process 644 at 0x00007FFEABAE0000, thread 7752, image base 0x00007FF7C23E0000, stack from 0x0000008E4CBF2000-0x0000008E4CC00000
2026-04-25 09:55:41,203 [root] DEBUG: 644: Commandline: C:\Windows\system32\lsass.exe
2026-04-25 09:55:41,391 [root] DEBUG: 644: Hooked 5 out of 5 functions
2026-04-25 09:55:41,406 [root] DEBUG: 644: TLS 1.2 secrets logged to: C:\pFgSGb\tlsdump\tlsdump.log
2026-04-25 09:55:41,422 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2026-04-25 09:55:41,422 [root] DEBUG: Successfully injected DLL C:\r4q0i2l_\dll\agsEkyC.dll.
2026-04-25 09:55:41,437 [lib.api.process] INFO: Injected into 64-bit <Process 644 lsass.exe>
2026-04-25 09:55:41,437 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump
2026-04-25 09:55:50,187 [root] INFO: Restarting WMI Service
2026-04-25 09:55:50,251 [root] DEBUG: package modules.packages.exe does not support configure, ignoring
2026-04-25 09:55:50,251 [root] WARNING: configuration error for package modules.packages.exe: error importing data.packages.exe: No module named 'data.packages'
2026-04-25 09:55:50,251 [lib.core.compound] INFO: C:\Users\cape\AppData\Local\Temp already exists, skipping creation
2026-04-25 09:55:50,391 [lib.api.process] INFO: Successfully executed process from path "C:\Users\cape\AppData\Local\Temp\91d880890f6e481edcbe.exe" with arguments "" with pid 6484
2026-04-25 09:55:50,391 [lib.api.process] INFO: Monitor config for <Process 6484 91d880890f6e481edcbe.exe>: C:\r4q0i2l_\dll\6484.ini
2026-04-25 09:55:50,578 [lib.api.process] INFO: 32-bit DLL to inject is C:\r4q0i2l_\dll\hizPnd.dll, loader C:\r4q0i2l_\bin\fyLUmkl.exe
2026-04-25 09:55:50,781 [root] DEBUG: Loader: Injecting process 6484 (thread 6504) with C:\r4q0i2l_\dll\hizPnd.dll.
2026-04-25 09:55:50,797 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2026-04-25 09:55:50,797 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2026-04-25 09:55:50,797 [root] DEBUG: Successfully injected DLL C:\r4q0i2l_\dll\hizPnd.dll.
2026-04-25 09:55:50,797 [lib.api.process] INFO: Injected into 32-bit <Process 6484 91d880890f6e481edcbe.exe>
2026-04-25 09:55:52,812 [lib.api.process] INFO: Successfully resumed <Process 6484 91d880890f6e481edcbe.exe>
2026-04-25 09:55:54,484 [root] DEBUG: 6484: Python path set to 'C:\Python310'.
2026-04-25 09:55:54,516 [root] DEBUG: 6484: Disabling sleep skipping.
2026-04-25 09:55:54,516 [root] DEBUG: 6484: Dropped file limit defaulting to 100.
2026-04-25 09:55:54,547 [root] DEBUG: 6484: YaraInit: Compiled 44 rule files
2026-04-25 09:55:54,562 [root] DEBUG: 6484: YaraInit: Compiled rules saved to file C:\r4q0i2l_\data\yara\capemon.yac
2026-04-25 09:55:54,562 [root] DEBUG: 6484: YaraScan: Scanning 0x00590000, size 0x1f0
2026-04-25 09:55:54,562 [root] DEBUG: 6484: Monitor initialised: 32-bit capemon loaded in process 6484 at 0x73ea0000, thread 6504, image base 0x590000, stack from 0x952000-0x960000
2026-04-25 09:55:54,562 [root] DEBUG: 6484: Commandline: "C:\Users\cape\AppData\Local\Temp\91d880890f6e481edcbe.exe"
2026-04-25 09:55:55,687 [root] DEBUG: 6484: Yara error: Scanning timed out
2026-04-25 09:55:56,781 [root] DEBUG: 6484: Yara error: Scanning timed out
2026-04-25 09:55:56,797 [root] DEBUG: 6484: hook_api: Warning - SetWindowLongW export address 0x75D45420 differs from GetProcAddress -> 0x750E59E0 (apphelp.dll::0xff3d59e0)
2026-04-25 09:55:56,797 [root] DEBUG: 6484: hook_api: Warning - EnumDisplayDevicesA export address 0x75D395A0 differs from GetProcAddress -> 0x750E6780 (apphelp.dll::0xff3d6780)
2026-04-25 09:55:56,797 [root] DEBUG: 6484: hook_api: Warning - EnumDisplayDevicesW export address 0x75D4FB70 differs from GetProcAddress -> 0x7510E4D0 (apphelp.dll::0xff3fe4d0)
2026-04-25 09:55:57,109 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2026-04-25 09:55:57,109 [root] DEBUG: 6484: set_hooks: Unable to hook GetCommandLineA
2026-04-25 09:55:57,109 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2026-04-25 09:55:57,125 [root] DEBUG: 6484: set_hooks: Unable to hook GetCommandLineW
2026-04-25 09:55:57,469 [root] DEBUG: 6484: Hooked 630 out of 632 functions
2026-04-25 09:55:57,719 [root] DEBUG: 6484: Syscall hook installed, syscall logging level 1
2026-04-25 09:55:57,735 [root] INFO: Loaded monitor into process with pid 6484
2026-04-25 09:55:58,547 [root] DEBUG: 6484: DLL loaded at 0x73DB0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x8d000 bytes).
2026-04-25 09:55:59,375 [root] DEBUG: 6484: set_hooks_by_export_directory: Hooked 0 out of 632 functions
2026-04-25 09:55:59,375 [root] DEBUG: 6484: DLL loaded at 0x75250000: C:\Windows\SYSTEM32\kernel.appcore (0xf000 bytes).
2026-04-25 09:55:59,391 [root] DEBUG: 6484: DLL loaded at 0x75460000: C:\Windows\SYSTEM32\VERSION (0x8000 bytes).
2026-04-25 09:56:03,547 [root] DEBUG: 6484: InstrumentationCallback: Added region at 0x76AD24AC (base 0x76AB0000) to tracked regions list (thread 6504).
2026-04-25 09:56:03,547 [root] DEBUG: 6484: ProcessTrackedRegion: Region at 0x76AB0000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\kernel32.dll is in known range, skipping
2026-04-25 09:56:04,281 [root] DEBUG: 6484: DLL loaded at 0x736E0000: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80 (0x9b000 bytes).
2026-04-25 09:56:04,547 [root] DEBUG: 6484: set_hooks_by_export_directory: Hooked 0 out of 632 functions
2026-04-25 09:56:04,547 [root] DEBUG: 6484: DLL loaded at 0x73780000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks (0x621000 bytes).
2026-04-25 09:56:10,875 [root] DEBUG: 6484: AllocationHandler: Adding allocation to tracked region list: 0x0288A000, size: 0x1000.
2026-04-25 09:56:10,891 [root] DEBUG: 6484: GetEntropy: Error - Supplied address inaccessible: 0x02880000
2026-04-25 09:56:10,891 [root] DEBUG: 6484: AddTrackedRegion: GetEntropy failed.
2026-04-25 09:56:10,891 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x02880000.
2026-04-25 09:56:10,953 [root] DEBUG: 6484: DLL loaded at 0x77590000: C:\Windows\System32\shell32 (0x5b5000 bytes).
2026-04-25 09:56:10,985 [root] DEBUG: 6484: DLL loaded at 0x756D0000: C:\Windows\SYSTEM32\Wldp (0x27000 bytes).
2026-04-25 09:56:10,985 [root] DEBUG: 6484: DLL loaded at 0x75700000: C:\Windows\SYSTEM32\windows.storage (0x60d000 bytes).
2026-04-25 09:56:11,000 [root] DEBUG: 6484: DLL loaded at 0x76F70000: C:\Windows\System32\SHCORE (0x87000 bytes).
2026-04-25 09:56:13,094 [root] DEBUG: 6484: InstrumentationCallback: Added region at 0x772833EC (base 0x77150000) to tracked regions list (thread 6504).
2026-04-25 09:56:13,110 [root] DEBUG: 6484: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-04-25 09:56:13,110 [root] DEBUG: 6484: DLL loaded at 0x75260000: C:\Windows\SYSTEM32\profapi (0x18000 bytes).
2026-04-25 09:56:17,875 [root] DEBUG: 6484: DLL loaded at 0x72BE0000: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\07fedecf3b964c4d26a6ec994226efe4\mscorlib.ni (0xb00000 bytes).
2026-04-25 09:56:20,328 [root] DEBUG: 6484: AllocationHandler: Adding allocation to tracked region list: 0x02892000, size: 0x1000.
2026-04-25 09:56:20,344 [root] DEBUG: 6484: GetEntropy: Error - Supplied address inaccessible: 0x02890000
2026-04-25 09:56:20,344 [root] DEBUG: 6484: AddTrackedRegion: GetEntropy failed.
2026-04-25 09:56:21,297 [root] DEBUG: 6484: DLL loaded at 0x76D80000: C:\Windows\System32\bcryptPrimitives (0x5f000 bytes).
2026-04-25 09:56:21,313 [root] DEBUG: 6484: DLL loaded at 0x745D0000: C:\Windows\system32\uxtheme (0x74000 bytes).
2026-04-25 09:56:24,172 [root] DEBUG: 6484: caller_dispatch: Added region at 0x04FE0000 to tracked regions list (kernel32::SetErrorMode returns to 0x04FE0626, thread 6504).
2026-04-25 09:56:24,188 [root] DEBUG: 6484: DumpPEsInRange: Scanning range 0x04FE0000 - 0x04FE0FFE.
2026-04-25 09:56:24,188 [root] DEBUG: 6484: ScanForDisguisedPE: No PE image located in range 0x04FE0000-0x04FE0FFE.
2026-04-25 09:56:24,688 [lib.common.results] INFO: Uploading file C:\pFgSGb\CAPE\6484_45377012456625642026 to CAPE\a421fa5d14332f486ba5b5d74499679aab17e99d022e25d0384d0917a615fcc3; Size is 4094; Max size: 100000000
2026-04-25 09:56:24,688 [root] DEBUG: 6484: DumpMemory: Payload successfully created: C:\pFgSGb\CAPE\6484_45377012456625642026 (size 4094 bytes)
2026-04-25 09:56:24,688 [root] DEBUG: 6484: DumpRegion: Dumped entire allocation from 0x04FE0000, size 4096 bytes.
2026-04-25 09:56:24,703 [root] DEBUG: 6484: ProcessTrackedRegion: Dumped region at 0x04FE0000.
2026-04-25 09:56:24,703 [root] DEBUG: 6484: YaraScan: Scanning 0x04FE0000, size 0xffe
2026-04-25 09:56:24,703 [root] DEBUG: 6484: ReverseScanForNonZero: Error - Supplied size zero.
2026-04-25 09:56:24,719 [lib.common.results] INFO: Uploading file C:\pFgSGb\CAPE\6484_141028832456625642026 to CAPE\e80dcbee37f3881c3405857c3eb3c0bc117b40c7acb794ebf6c8083d8840eab7; Size is 354; Max size: 100000000
2026-04-25 09:56:24,719 [root] DEBUG: 6484: DumpMemory: Payload successfully created: C:\pFgSGb\CAPE\6484_141028832456625642026 (size 354 bytes)
2026-04-25 09:56:24,735 [root] DEBUG: 6484: DumpRegion: Dumped region at 0x0288A000, size 4096 bytes.
2026-04-25 09:56:24,735 [root] DEBUG: 6484: ProcessTrackedRegion: Dumped region at 0x0288A000.
2026-04-25 09:56:24,735 [root] DEBUG: 6484: ReverseScanForNonZero: Error - Supplied address inaccessible: 0x02880FFF
2026-04-25 09:56:24,751 [root] DEBUG: 6484: YaraScan: Nothing to scan at 0x0288A000!
2026-04-25 09:56:26,235 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x02890000.
2026-04-25 09:56:26,453 [root] DEBUG: 6484: AllocationHandler: Adding allocation to tracked region list: 0x03FEB000, size: 0x1000.
2026-04-25 09:56:26,453 [root] DEBUG: 6484: GetEntropy: Error - Supplied address inaccessible: 0x03FE0000
2026-04-25 09:56:26,453 [root] DEBUG: 6484: AddTrackedRegion: GetEntropy failed.
2026-04-25 09:56:26,469 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x03FE0000.
2026-04-25 09:56:27,891 [root] DEBUG: 6484: DLL loaded at 0x72430000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\c60dd1ee843ba8ff9ee7edcd6302393b\System.ni (0x7a8000 bytes).
2026-04-25 09:56:28,235 [root] DEBUG: 6484: DLL loaded at 0x722A0000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\a03dd8871929955c680232682c9464a0\System.Drawing.ni (0x189000 bytes).
2026-04-25 09:56:28,360 [root] DEBUG: 6484: DLL loaded at 0x716C0000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\194e1e92bfae5396086518c2ec0a0f74\System.Windows.Forms.ni (0xbe0000 bytes).
2026-04-25 09:56:28,688 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x02890000.
2026-04-25 09:56:28,735 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x02890000.
2026-04-25 09:56:28,766 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x02890000.
2026-04-25 09:56:28,766 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x02890000.
2026-04-25 09:56:28,828 [root] DEBUG: 6484: ProcessTrackedRegion: Region at 0x76AB0000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\kernel32.dll is in known range, skipping
2026-04-25 09:56:28,875 [root] DEBUG: 6484: DLL loaded at 0x71660000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit (0x5b000 bytes).
2026-04-25 09:56:29,078 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x02890000.
2026-04-25 09:56:29,110 [root] DEBUG: 6484: AllocationHandler: Adding allocation to tracked region list: 0x05070000, size: 0x1000.
2026-04-25 09:56:29,110 [root] DEBUG: 6484: AddTrackedRegion: GetEntropy failed.
2026-04-25 09:56:29,344 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x02890000.
2026-04-25 09:56:29,441 [root] DEBUG: 6484: DumpPEsInRange: Scanning range 0x05070000 - 0x05070564.
2026-04-25 09:56:29,453 [root] DEBUG: 6484: ScanForDisguisedPE: Size too small: 0x564 bytes
2026-04-25 09:56:29,453 [lib.common.results] INFO: Uploading file C:\pFgSGb\CAPE\6484_90156062956625642026 to CAPE\ad377bc1882345987f8d7f32117df03e8918144a6039f0a89ded1742ba15df70; Size is 1380; Max size: 100000000
2026-04-25 09:56:29,485 [root] DEBUG: 6484: DumpMemory: Payload successfully created: C:\pFgSGb\CAPE\6484_90156062956625642026 (size 1380 bytes)
2026-04-25 09:56:29,485 [root] DEBUG: 6484: DumpRegion: Dumped entire allocation from 0x05070000, size 4096 bytes.
2026-04-25 09:56:29,485 [root] DEBUG: 6484: ProcessTrackedRegion: Dumped region at 0x05070000.
2026-04-25 09:56:29,500 [root] DEBUG: 6484: YaraScan: Scanning 0x05070000, size 0x564
2026-04-25 09:56:29,500 [root] DEBUG: 6484: AllocationHandler: Adding allocation to tracked region list: 0x7F350000, size: 0x50000.
2026-04-25 09:56:29,516 [root] DEBUG: 6484: GetEntropy: Error - Supplied address inaccessible: 0x7F350000
2026-04-25 09:56:29,516 [root] DEBUG: 6484: AddTrackedRegion: GetEntropy failed.
2026-04-25 09:56:29,516 [root] DEBUG: 6484: AllocationHandler: Processing previous tracked region at: 0x05070000.
2026-04-25 09:56:29,516 [root] DEBUG: 6484: ProcessTrackedRegion: Updated entropy for tracked region at 0x05070000: 2.794909e+00 (from 0.000000e+00)
2026-04-25 09:56:29,610 [root] DEBUG: 6484: DumpPEsInRange: Scanning range 0x05070000 - 0x05070564.
2026-04-25 09:56:29,625 [root] DEBUG: 6484: ScanForDisguisedPE: Size too small: 0x564 bytes
2026-04-25 09:56:29,673 [lib.common.results] INFO: Uploading file C:\pFgSGb\CAPE\6484_106796802956625642026 to CAPE\ad377bc1882345987f8d7f32117df03e8918144a6039f0a89ded1742ba15df70; Size is 1380; Max size: 100000000
2026-04-25 09:56:29,703 [root] DEBUG: 6484: DumpMemory: Payload successfully created: C:\pFgSGb\CAPE\6484_106796802956625642026 (size 1380 bytes)
2026-04-25 09:56:29,703 [root] DEBUG: 6484: DumpRegion: Dumped entire allocation from 0x05070000, size 4096 bytes.
2026-04-25 09:56:29,703 [root] DEBUG: 6484: ProcessTrackedRegion: Dumped region at 0x05070000.
2026-04-25 09:56:29,703 [root] DEBUG: 6484: YaraScan: Scanning 0x05070000, size 0x564
2026-04-25 09:56:29,719 [root] DEBUG: 6484: AllocationHandler: Memory region (size 0x50000) reserved but not committed at 0x7F350000.
2026-04-25 09:56:29,719 [root] DEBUG: 6484: AllocationHandler: Previously reserved region at 0x7F350000, committing at: 0x7F350000.
2026-04-25 09:56:29,719 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x7F350000.
2026-04-25 09:56:29,735 [root] DEBUG: 6484: AllocationHandler: Adding allocation to tracked region list: 0x7F340000, size: 0x10000.
2026-04-25 09:56:29,735 [root] DEBUG: 6484: GetEntropy: Error - Supplied address inaccessible: 0x7F340000
2026-04-25 09:56:29,735 [root] DEBUG: 6484: AddTrackedRegion: GetEntropy failed.
2026-04-25 09:56:29,750 [root] DEBUG: 6484: AllocationHandler: Processing previous tracked region at: 0x7F350000.
2026-04-25 09:56:29,750 [root] DEBUG: 6484: DumpPEsInRange: Scanning range 0x7F350000 - 0x7F35002C.
2026-04-25 09:56:29,750 [root] DEBUG: 6484: ScanForDisguisedPE: Size too small: 0x2c bytes
2026-04-25 09:56:29,750 [lib.common.results] INFO: Uploading file C:\pFgSGb\CAPE\6484_120270002956625642026 to CAPE\064ec728231780bebf305dc752c6dbeca6cb311f53dec5a57657cd7d5a42f2a9; Size is 44; Max size: 100000000
2026-04-25 09:56:29,769 [root] DEBUG: 6484: DumpMemory: Payload successfully created: C:\pFgSGb\CAPE\6484_120270002956625642026 (size 44 bytes)
2026-04-25 09:56:29,769 [root] DEBUG: 6484: DumpRegion: Dumped entire allocation from 0x7F350000, size 4096 bytes.
2026-04-25 09:56:29,769 [root] DEBUG: 6484: ProcessTrackedRegion: Dumped region at 0x7F350000.
2026-04-25 09:56:29,781 [root] DEBUG: 6484: YaraScan: Scanning 0x7F350000, size 0x2c
2026-04-25 09:56:29,781 [root] DEBUG: 6484: AllocationHandler: Memory region (size 0x10000) reserved but not committed at 0x7F340000.
2026-04-25 09:56:29,781 [root] DEBUG: 6484: AllocationHandler: Previously reserved region at 0x7F340000, committing at: 0x7F340000.
2026-04-25 09:56:29,860 [root] DEBUG: 6484: AllocationHandler: Adding allocation to tracked region list: 0x03FDA000, size: 0x1000.
2026-04-25 09:56:30,172 [root] DEBUG: 6484: AllocationHandler: Adding allocation to tracked region list: 0x03FCA000, size: 0x1000.
2026-04-25 09:56:30,172 [root] DEBUG: 6484: GetEntropy: Error - Supplied address inaccessible: 0x03FC0000
2026-04-25 09:56:30,188 [root] DEBUG: 6484: AddTrackedRegion: GetEntropy failed.
2026-04-25 09:56:30,188 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x03FC0000.
2026-04-25 09:56:30,297 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x02880000.
2026-04-25 09:56:30,391 [root] DEBUG: 6484: ProcessTrackedRegion: Region at 0x76AB0000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\kernel32.dll is in known range, skipping
2026-04-25 09:56:30,516 [root] DEBUG: 6484: DLL loaded at 0x76BA0000: C:\Windows\System32\MSCTF (0xd4000 bytes).
2026-04-25 09:56:30,985 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x03FC0000.
2026-04-25 09:56:31,313 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x02890000.
2026-04-25 09:56:31,594 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x02890000.
2026-04-25 09:56:31,625 [root] DEBUG: 6484: DLL loaded at 0x75280000: C:\Windows\SYSTEM32\CRYPTSP (0x13000 bytes).
2026-04-25 09:56:31,641 [root] DEBUG: 6484: DLL loaded at 0x74C10000: C:\Windows\system32\rsaenh (0x2f000 bytes).
2026-04-25 09:56:31,641 [root] DEBUG: 6484: AllocationHandler: Adding allocation to tracked region list: 0x07880000, size: 0x1000.
2026-04-25 09:56:31,641 [root] DEBUG: 6484: AddTrackedRegion: GetEntropy failed.
2026-04-25 09:56:31,688 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x05070000.
2026-04-25 09:56:31,688 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x03FE0000.
2026-04-25 09:56:31,797 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x05070000.
2026-04-25 09:56:31,891 [root] DEBUG: 6484: AllocationHandler: Adding allocation to tracked region list: 0x07890000, size: 0x1000.
2026-04-25 09:56:31,891 [root] DEBUG: 6484: AddTrackedRegion: GetEntropy failed.
2026-04-25 09:56:32,204 [root] DEBUG: 6484: AllocationHandler: Adding allocation to tracked region list: 0x07A41000, size: 0x1000.
2026-04-25 09:56:32,235 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x07A40000.
2026-04-25 09:56:32,250 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x07A40000.
2026-04-25 09:56:32,250 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x07A40000.
2026-04-25 09:56:32,266 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x07A40000.
2026-04-25 09:56:32,266 [root] DEBUG: 6484: AllocationHandler: Adding allocation to tracked region list: 0x078A0000, size: 0x8000.
2026-04-25 09:56:32,266 [root] DEBUG: 6484: GetEntropy: Error - Supplied address inaccessible: 0x078A0000
2026-04-25 09:56:32,281 [root] DEBUG: 6484: AddTrackedRegion: GetEntropy failed.
2026-04-25 09:56:32,281 [root] DEBUG: 6484: AllocationHandler: Processing previous tracked region at: 0x07A40000.
2026-04-25 09:56:32,281 [root] DEBUG: 6484: DumpPEsInRange: Scanning range 0x07A40000 - 0x07A47FFE.
2026-04-25 09:56:32,281 [root] DEBUG: 6484: ScanForDisguisedPE: No PE image located in range 0x07A40000-0x07A47FFE.
2026-04-25 09:56:32,298 [lib.common.results] INFO: Uploading file C:\pFgSGb\CAPE\6484_79081833256625642026 to CAPE\833716013580540b419235427cbc5a709845b35d92acea3efe9d77e038f00cf4; Size is 32766; Max size: 100000000
2026-04-25 09:56:32,328 [root] DEBUG: 6484: DumpMemory: Payload successfully created: C:\pFgSGb\CAPE\6484_79081833256625642026 (size 32766 bytes)
2026-04-25 09:56:32,328 [root] DEBUG: 6484: DumpRegion: Dumped entire allocation from 0x07A40000, size 32768 bytes.
2026-04-25 09:56:32,328 [root] DEBUG: 6484: ProcessTrackedRegion: Dumped region at 0x07A40000.
2026-04-25 09:56:32,328 [root] DEBUG: 6484: YaraScan: Scanning 0x07A40000, size 0x7ffe
2026-04-25 09:56:32,328 [root] DEBUG: 6484: AllocationHandler: Memory region (size 0x8000) reserved but not committed at 0x078A0000.
2026-04-25 09:56:32,328 [root] DEBUG: 6484: AllocationHandler: Previously reserved region at 0x078A0000, committing at: 0x078A0000.
2026-04-25 09:56:32,391 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x07A40000.
2026-04-25 09:56:32,391 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x07A40000.
2026-04-25 09:56:32,422 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x05070000.
2026-04-25 09:56:32,453 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x05070000.
2026-04-25 09:56:32,562 [root] DEBUG: 6484: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-04-25 09:56:32,578 [root] DEBUG: 6484: DumpPEsInRange: Scanning range 0x07880000 - 0x07880144.
2026-04-25 09:56:32,578 [root] DEBUG: 6484: ScanForDisguisedPE: Size too small: 0x144 bytes
2026-04-25 09:56:32,625 [lib.common.results] INFO: Uploading file C:\pFgSGb\CAPE\6484_13270883256625642026 to CAPE\a5e6546362978d31355aca9b0dcffe425cf729c012e66deb59eb7ae5bb8aef78; Size is 324; Max size: 100000000
2026-04-25 09:56:32,641 [root] DEBUG: 6484: DumpMemory: Payload successfully created: C:\pFgSGb\CAPE\6484_13270883256625642026 (size 324 bytes)
2026-04-25 09:56:32,641 [root] DEBUG: 6484: DumpRegion: Dumped entire allocation from 0x07880000, size 4096 bytes.
2026-04-25 09:56:32,641 [root] DEBUG: 6484: ProcessTrackedRegion: Dumped region at 0x07880000.
2026-04-25 09:56:32,641 [root] DEBUG: 6484: YaraScan: Scanning 0x07880000, size 0x144
2026-04-25 09:56:32,750 [root] DEBUG: 6484: DLL loaded at 0x70F00000: C:\Windows\SYSTEM32\shfolder (0x6000 bytes).
2026-04-25 09:56:32,875 [root] INFO: Added new file to list with pid 6484 and path C:\Users\cape\AppData\Roaming\339D92A4-C255-4420-97B0-5631BD58867A\run.dat
2026-04-25 09:56:32,875 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x05070000.
2026-04-25 09:56:32,891 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x07890000.
2026-04-25 09:56:32,953 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x03FD0000.
2026-04-25 09:56:32,984 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x03FD0000.
2026-04-25 09:56:33,203 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x02890000.
2026-04-25 09:56:33,469 [root] DEBUG: 6484: DLL loaded at 0x70ED0000: C:\Windows\SYSTEM32\ntmarta (0x29000 bytes).
2026-04-25 09:56:33,531 [root] INFO: Added new file to list with pid 6484 and path C:\Program Files (x86)\NAT Subsystem\natss.exe
2026-04-25 09:56:34,047 [root] DEBUG: 6484: ProcessTrackedRegion: Region at 0x76AB0000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\kernel32.dll is in known range, skipping
2026-04-25 09:56:34,078 [root] DEBUG: 6484: DLL loaded at 0x70EC0000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\culture (0x8000 bytes).
2026-04-25 09:56:34,203 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x02880000.
2026-04-25 09:56:34,266 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x05070000.
2026-04-25 09:56:34,281 [root] DEBUG: 6484: AllocationHandler: Adding allocation to tracked region list: 0x07AC0000, size: 0x100000.
2026-04-25 09:56:34,281 [root] DEBUG: 6484: GetEntropy: Error - Supplied address inaccessible: 0x07AC0000
2026-04-25 09:56:34,281 [root] DEBUG: 6484: AddTrackedRegion: GetEntropy failed.
2026-04-25 09:56:34,281 [root] DEBUG: 6484: AllocationHandler: Processing previous tracked region at: 0x078A0000.
2026-04-25 09:56:34,281 [root] DEBUG: 6484: DumpPEsInRange: Scanning range 0x078A0000 - 0x078A08C9.
2026-04-25 09:56:34,281 [root] DEBUG: 6484: ScanForDisguisedPE: No PE image located in range 0x078A0000-0x078A08C9.
2026-04-25 09:56:34,297 [lib.common.results] INFO: Uploading file C:\pFgSGb\CAPE\6484_51321843456625642026 to CAPE\be7ca263a502af783d148e1e974f5ae0a964a2b73a4650bd31ff84b2f14c8601; Size is 2249; Max size: 100000000
2026-04-25 09:56:34,297 [root] DEBUG: 6484: DumpMemory: Payload successfully created: C:\pFgSGb\CAPE\6484_51321843456625642026 (size 2249 bytes)
2026-04-25 09:56:34,297 [root] DEBUG: 6484: DumpRegion: Dumped entire allocation from 0x078A0000, size 4096 bytes.
2026-04-25 09:56:34,297 [root] DEBUG: 6484: ProcessTrackedRegion: Dumped region at 0x078A0000.
2026-04-25 09:56:34,297 [root] DEBUG: 6484: YaraScan: Scanning 0x078A0000, size 0x8c9
2026-04-25 09:56:34,297 [root] DEBUG: 6484: AllocationHandler: Memory region (size 0x100000) reserved but not committed at 0x07AC0000.
2026-04-25 09:56:34,312 [root] DEBUG: 6484: AllocationHandler: Previously reserved region at 0x07AC0000, committing at: 0x07AC0000.
2026-04-25 09:56:34,500 [root] DEBUG: 6484: ProcessTrackedRegion: Region at 0x76AB0000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\kernel32.dll is in known range, skipping
2026-04-25 09:56:34,563 [root] DEBUG: 6484: DLL loaded at 0x70E40000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\diasymreader (0x8d000 bytes).
2026-04-25 09:56:35,375 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x07890000.
2026-04-25 09:56:35,470 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x05070000.
2026-04-25 09:56:35,625 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x07890000.
2026-04-25 09:56:35,735 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x05070000.
2026-04-25 09:56:35,828 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x07890000.
2026-04-25 09:56:35,859 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x07890000.
2026-04-25 09:56:35,859 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x05070000.
2026-04-25 09:56:35,875 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x07890000.
2026-04-25 09:56:35,875 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x07890000.
2026-04-25 09:56:35,891 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x02890000.
2026-04-25 09:56:35,891 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x07AC0000.
2026-04-25 09:56:35,906 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x07AC0000.
2026-04-25 09:56:35,906 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x07AC0000.
2026-04-25 09:56:35,922 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x05070000.
2026-04-25 09:56:35,984 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x05070000.
2026-04-25 09:56:36,000 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x07890000.
2026-04-25 09:56:36,031 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x07880000.
2026-04-25 09:56:36,047 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x07890000.
2026-04-25 09:56:36,047 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x05070000.
2026-04-25 09:56:36,062 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x05070000.
2026-04-25 09:56:36,844 [root] DEBUG: 6484: DLL loaded at 0x76A70000: C:\Windows\System32\psapi (0x6000 bytes).
2026-04-25 09:56:37,391 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x05070000.
2026-04-25 09:56:37,922 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x07890000.
2026-04-25 09:56:37,953 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x07890000.
2026-04-25 09:56:38,016 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x05070000.
2026-04-25 09:56:38,047 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x07890000.
2026-04-25 09:56:38,047 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x02890000.
2026-04-25 09:56:38,062 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x07890000.
2026-04-25 09:56:38,062 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x07890000.
2026-04-25 09:56:38,078 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x07890000.
2026-04-25 09:56:38,141 [root] DEBUG: 6484: AllocationHandler: Adding allocation to tracked region list: 0x08360000, size: 0x1000.
2026-04-25 09:56:38,156 [root] DEBUG: 6484: AddTrackedRegion: GetEntropy failed.
2026-04-25 09:56:38,156 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x08360000.
2026-04-25 09:56:38,172 [root] DEBUG: 6484: AllocationHandler: Adding allocation to tracked region list: 0x08300000, size: 0x1000.
2026-04-25 09:56:38,187 [root] DEBUG: 6484: AddTrackedRegion: GetEntropy failed.
2026-04-25 09:56:38,219 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x08360000.
2026-04-25 09:56:38,641 [root] DEBUG: 6484: DLL loaded at 0x708C0000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\bae24e9bcbc01bb2a0ed4fa751347041\System.Xml.ni (0x53c000 bytes).
2026-04-25 09:56:40,047 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x08360000.
2026-04-25 09:56:40,047 [root] DEBUG: 6484: DumpPEsInRange: Scanning range 0x08360000 - 0x083636D1.
2026-04-25 09:56:40,047 [root] DEBUG: 6484: ScanForDisguisedPE: No PE image located in range 0x08360000-0x083636D1.
2026-04-25 09:56:40,125 [lib.common.results] INFO: Uploading file C:\pFgSGb\CAPE\6484_19274056625642026 to CAPE\c6f4ddc492dbb4b5ee073e68b4cbb26e22867c064e45555f3f866adf987475d7; Size is 14033; Max size: 100000000
2026-04-25 09:56:40,125 [root] DEBUG: 6484: DumpMemory: Payload successfully created: C:\pFgSGb\CAPE\6484_19274056625642026 (size 14033 bytes)
2026-04-25 09:56:40,125 [root] DEBUG: 6484: DumpRegion: Dumped entire allocation from 0x08360000, size 16384 bytes.
2026-04-25 09:56:40,141 [root] DEBUG: 6484: ProcessTrackedRegion: Dumped region at 0x08360000.
2026-04-25 09:56:40,141 [root] DEBUG: 6484: YaraScan: Scanning 0x08360000, size 0x36d1
2026-04-25 09:56:40,156 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x08300000.
2026-04-25 09:56:40,437 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x08360000.
2026-04-25 09:56:49,453 [root] DEBUG: 6484: AllocationHandler: Previously reserved region at 0x04FE0000, committing at: 0x04FE1000.
2026-04-25 09:56:49,687 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x08360000.
2026-04-25 09:56:49,953 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x08360000.
2026-04-25 09:56:49,969 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x08360000.
2026-04-25 09:56:49,984 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x08300000.
2026-04-25 09:56:49,984 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x08360000.
2026-04-25 09:56:50,063 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x08360000.
2026-04-25 09:56:50,095 [root] DEBUG: 6484: AllocationHandler: Adding allocation to tracked region list: 0x08320000, size: 0x1000.
2026-04-25 09:56:50,109 [root] DEBUG: 6484: AddTrackedRegion: GetEntropy failed.
2026-04-25 09:56:50,125 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x08300000.
2026-04-25 09:56:50,140 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x08360000.
2026-04-25 09:56:50,187 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x08360000.
2026-04-25 09:56:50,203 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x08300000.
2026-04-25 09:56:50,219 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x08360000.
2026-04-25 09:56:50,234 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x08360000.
2026-04-25 09:56:50,469 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x04FE0000.
2026-04-25 09:56:50,515 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x04FE0000.
2026-04-25 09:56:50,547 [root] DEBUG: 6484: AllocationHandler: Adding allocation to tracked region list: 0x08340000, size: 0x8000.
2026-04-25 09:56:50,609 [root] DEBUG: 6484: GetEntropy: Error - Supplied address inaccessible: 0x08340000
2026-04-25 09:56:50,656 [root] DEBUG: 6484: AddTrackedRegion: GetEntropy failed.
2026-04-25 09:56:50,687 [root] DEBUG: 6484: AllocationHandler: Processing previous tracked region at: 0x08320000.
2026-04-25 09:56:50,750 [root] DEBUG: 6484: DumpRegion: Dump at 0x08320000 skipped due to dump limit 10
2026-04-25 09:56:50,781 [root] DEBUG: 6484: ProcessTrackedRegion: Failed to dump region at 0x08320000.
2026-04-25 09:56:50,812 [root] DEBUG: 6484: YaraScan: Scanning 0x08320000, size 0x784
2026-04-25 09:56:50,828 [root] DEBUG: 6484: AllocationHandler: Memory region (size 0x8000) reserved but not committed at 0x08340000.
2026-04-25 09:56:50,828 [root] DEBUG: 6484: AllocationHandler: Previously reserved region at 0x08340000, committing at: 0x08340000.
2026-04-25 09:56:50,844 [root] DEBUG: 6484: DLL loaded at 0x747C0000: C:\Windows\system32\mswsock (0x52000 bytes).
2026-04-25 09:56:51,307 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x07880000.
2026-04-25 09:56:51,626 [root] DEBUG: 6484: DLL loaded at 0x715D0000: C:\Windows\SYSTEM32\DNSAPI (0x90000 bytes).
2026-04-25 09:56:51,637 [root] DEBUG: 6484: DLL loaded at 0x74BB0000: C:\Windows\SYSTEM32\IPHLPAPI (0x32000 bytes).
2026-04-25 09:56:51,646 [root] DEBUG: 6484: DLL loaded at 0x77E20000: C:\Windows\System32\NSI (0x7000 bytes).
2026-04-25 09:56:51,648 [root] DEBUG: 6484: DLL loaded at 0x73E70000: C:\Windows\System32\rasadhlp (0x8000 bytes).
2026-04-25 09:56:52,740 [root] DEBUG: 6484: DLL loaded at 0x71570000: C:\Windows\System32\fwpuclnt (0x59000 bytes).
2026-04-25 09:56:52,780 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x08360000.
2026-04-25 09:56:53,217 [root] DEBUG: 6484: DumpRegion: Dump at 0x02890000 skipped due to dump limit 10
2026-04-25 09:56:53,227 [root] DEBUG: 6484: ProcessTrackedRegion: Failed to dump region at 0x02890000.
2026-04-25 09:56:53,227 [root] DEBUG: 6484: YaraScan: Scanning 0x02890000, size 0xad84
2026-04-25 09:56:53,768 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x08300000.
2026-04-25 09:56:53,853 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x08360000.
2026-04-25 09:56:53,927 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x07AC0000.
2026-04-25 09:56:58,020 [root] DEBUG: 6484: AllocationHandler: Allocation already in tracked region list: 0x03FC0000.
2026-04-25 09:58:45,625 [root] DEBUG: 6484: api-cap: GetSystemTimeAsFileTime hook disabled due to count: 5000
2026-04-25 09:59:13,610 [root] INFO: Analysis timeout hit, terminating analysis
2026-04-25 09:59:13,610 [lib.api.process] INFO: Terminate event set for <Process 6484 91d880890f6e481edcbe.exe>
2026-04-25 09:59:13,610 [root] DEBUG: 6484: Terminate Event: Attempting to dump process 6484
2026-04-25 09:59:13,610 [root] DEBUG: 6484: VerifyCodeSection: Executable code does not match, 0x1c796 of 0x1c797 matching
2026-04-25 09:59:13,610 [root] DEBUG: 6484: DoProcessDump: Code modification detected, dumping Imagebase at 0x00590000.
2026-04-25 09:59:13,625 [root] DEBUG: 6484: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2026-04-25 09:59:13,625 [root] DEBUG: 6484: DumpProcess: Instantiating PeParser with address: 0x00590000.
2026-04-25 09:59:13,625 [root] DEBUG: 6484: DumpProcess: Module entry point VA is 0x005AE792.
2026-04-25 09:59:13,625 [root] DEBUG: 6484: PeParser: readPeSectionsFromProcess: readSectionFromProcess failed address 0x00592000, section 1
2026-04-25 09:59:13,641 [root] DEBUG: 6484: PeParser: readPeSectionsFromProcess: readSectionFromProcess failed address 0x005B0000, section 2
2026-04-25 09:59:13,641 [root] DEBUG: 6484: reBasePEImage: Exception rebasing image from 0x00590000 to 0x00400000.
2026-04-25 09:59:13,641 [root] DEBUG: 6484: readPeSectionsFromProcess: Failed to relocate image back to header image base 0x00400000.
2026-04-25 09:59:13,719 [lib.common.results] INFO: Uploading file C:\pFgSGb\CAPE\6484_288641359625642026 to procdump\6d95dd6c471c315727e5b1d79e30acaca576e76c5174d935c0bd542ce56cfe19; Size is 91136; Max size: 100000000
2026-04-25 09:59:13,719 [root] DEBUG: 6484: DumpProcess: Module image dump success - dump size 0x16400.
2026-04-25 09:59:13,735 [root] DEBUG: 6484: DumpInterestingRegions: Dumping .NET image at 0x07CC0000.
2026-04-25 09:59:13,735 [root] DEBUG: 6484: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image (process 6484)
2026-04-25 09:59:13,750 [root] DEBUG: 6484: DumpPE: Instantiating PeParser with address: 0x07CC0000.
2026-04-25 09:59:13,860 [lib.common.results] INFO: Uploading file C:\pFgSGb\CAPE\6484_153091431359625642026 to CAPE\61e9d5c0727665e9ef3f328141397be47c65ed11ab621c644b5bbf1d67138403; Size is 19968; Max size: 100000000
2026-04-25 09:59:13,875 [root] DEBUG: 6484: DumpPE: PE file at 0x07CC0000 dumped successfully - dump size 0x4e00.
2026-04-25 09:59:13,875 [root] DEBUG: 6484: DumpInterestingRegions: Dumping .NET image at 0x07F60000.
2026-04-25 09:59:13,875 [root] DEBUG: 6484: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image (process 6484)
2026-04-25 09:59:13,875 [root] DEBUG: 6484: DumpPE: Instantiating PeParser with address: 0x07F60000.
2026-04-25 09:59:13,938 [lib.common.results] INFO: Uploading file C:\pFgSGb\CAPE\6484_59412921359625642026 to CAPE\01e3b18bd63981decb384f558f0321346c3334bb6e6f97c31c6c95c4ab2fe354; Size is 100352; Max size: 100000000
2026-04-25 09:59:13,954 [root] DEBUG: 6484: DumpPE: PE file at 0x07F60000 dumped successfully - dump size 0x18800.
2026-04-25 09:59:13,954 [root] DEBUG: 6484: DumpInterestingRegions: Dumping .NET image at 0x080D0000.
2026-04-25 09:59:13,969 [root] DEBUG: 6484: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image (process 6484)
2026-04-25 09:59:13,969 [root] DEBUG: 6484: DumpPE: Instantiating PeParser with address: 0x080D0000.
2026-04-25 09:59:13,985 [lib.common.results] INFO: Uploading file C:\pFgSGb\CAPE\6484_261025001359625642026 to CAPE\f9b8c3f31375e9a1ec105f930f751869a804110d29d6b38e7298622eb74b2bec; Size is 12288; Max size: 100000000
2026-04-25 09:59:14,000 [root] DEBUG: 6484: DumpPE: PE file at 0x080D0000 dumped successfully - dump size 0x3000.
2026-04-25 09:59:14,016 [root] DEBUG: 6484: DumpPEsInRange: Scanning range 0x08340000 - 0x0834085D.
2026-04-25 09:59:14,016 [root] DEBUG: 6484: ScanForDisguisedPE: No PE image located in range 0x08340000-0x0834085D.
2026-04-25 09:59:14,094 [lib.common.results] INFO: Uploading file C:\pFgSGb\CAPE\6484_3067041459625642026 to CAPE\6b675aee5977bf2c1feca2cf8cbe8b973aa8ac7c03ca3ccb4b7bda31c8f7c4fc; Size is 2141; Max size: 100000000
2026-04-25 09:59:14,110 [root] DEBUG: 6484: DumpMemory: Payload successfully created: C:\pFgSGb\CAPE\6484_3067041459625642026 (size 2141 bytes)
2026-04-25 09:59:14,110 [root] DEBUG: 6484: DumpRegion: Dumped entire allocation from 0x08340000, size 4096 bytes.
2026-04-25 09:59:14,110 [root] DEBUG: 6484: ProcessTrackedRegion: Dumped region at 0x08340000.
2026-04-25 09:59:14,125 [root] DEBUG: 6484: YaraScan: Scanning 0x08340000, size 0x85d
2026-04-25 09:59:14,125 [root] INFO: Added new file to list with pid 6484 and path C:\Users\cape\AppData\Local\Temp\client.log
2026-04-25 09:59:14,125 [lib.api.process] INFO: Termination confirmed for <Process 6484 91d880890f6e481edcbe.exe>
2026-04-25 09:59:14,125 [root] INFO: Terminate event set for process 6484
2026-04-25 09:59:14,141 [root] INFO: Created shutdown mutex
2026-04-25 09:59:14,125 [root] DEBUG: 6484: Terminate Event: monitor shutdown complete for process 6484
2026-04-25 09:59:15,157 [root] INFO: Shutting down package
2026-04-25 09:59:15,157 [root] INFO: Stopping auxiliary modules
2026-04-25 09:59:15,157 [root] INFO: Stopping auxiliary module: Browser
2026-04-25 09:59:15,157 [root] INFO: Stopping auxiliary module: Human
2026-04-25 09:59:15,219 [root] INFO: Stopping auxiliary module: Screenshots
2026-04-25 09:59:16,110 [root] INFO: Finishing auxiliary modules
2026-04-25 09:59:16,110 [root] INFO: Shutting down pipe server and dumping dropped files
2026-04-25 09:59:16,125 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Roaming\339D92A4-C255-4420-97B0-5631BD58867A\run.dat to files\67302b422117ed46990861bae7ce25023b9076211976eab8f365efecc634799d; Size is 8; Max size: 100000000
2026-04-25 09:59:16,141 [lib.common.results] INFO: Uploading file C:\Program Files (x86)\NAT Subsystem\natss.exe to files\91d880890f6e481edcbe0c5a1a26e8b343d2abeaf4d8c62de04bc75aea6aa7d4; Size is 207360; Max size: 100000000
2026-04-25 09:59:16,157 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\client.log to files\a99c2ec934ef9cb0931cbd3f858f8f3f682453861c87fd7b0fba2913e8961fc4; Size is 20773; Max size: 100000000
2026-04-25 09:59:16,157 [root] WARNING: Folder at path "C:\pFgSGb\debugger" does not exist, skipping
2026-04-25 09:59:16,157 [root] INFO: Uploading files at path "C:\pFgSGb\tlsdump"
2026-04-25 09:59:16,157 [lib.common.results] INFO: Uploading file C:\pFgSGb\tlsdump\tlsdump.log to tlsdump\tlsdump.log; Size is 18906; Max size: 100000000
2026-04-25 09:59:16,172 [root] INFO: Analysis completed

Process Log

Pre-Script Log

During-Script Log

Machine Information

Name	Label	Manager	Started On	Shutdown On
win10x64	win10x64	KVM	2026-04-25 09:54:33	2026-04-25 09:59:21

File Details

Show Parent File

Parent File Info

File Information

File Name	b3b0246050dbb794423cb3135e229649298d9d5fffb91ace6f513fb7d3dcb8b6
File Size	161180 bytes
MD5	d1b295330df8e8f65e4b132f059f2aab
SHA1	23bc51162fbf1817f0972a86b8536c70304f44a9
SHA256	b3b0246050dbb794423cb3135e229649298d9d5fffb91ace6f513fb7d3dcb8b6 VT MWDB Bazaar
CRC32	BD63117E
Ssdeep	None

Tools: Gen Strings Gen BinGraph

File Information

Type	NanoCore Payload: 32-bit executable
File Name	91d880890f6e481edcbe.exe
File Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
File Size	207360 bytes
MD5	83bea0f0e38b68c60905c8338a377856
SHA1	66da5c57f3d1dc0949b7408d7fe2c6458bed9f0b
SHA256	91d880890f6e481edcbe0c5a1a26e8b343d2abeaf4d8c62de04bc75aea6aa7d4 VT MWDB Bazaar
SHA3-384	09f8759335170cb2a4dc486968617051d7846fe0b2ed019788aaa77656a0ed3bce5d73ec8e33dd89e632050154be137c
CRC32	564B6117
TLSH	T11E14CF5537A84A3FE29E86B9212212139379C2E3A9C3F3EE1CD465B35F563E50A071D3
Ssdeep	6144:4LV6Bta6dtJmakIM5fKMlO/0hdzxdBQkJy:4LV6BtpmkcKMPzN2
Yara	DITEKSHEN_MALWARE_Win_Nanocore - Detects NanoCore (ditekSHen) Windows_Trojan_Nanocore_d8c4e3c5 - (Elastic Security) Nanocore - detect Nanocore in memory (JPCERT/CC Incident Response Group) Nanocore_RAT_Gen_2 - Detetcs the Nanocore RAT (Florian Roth) NanoCore - ( Kevin Breen <kevin@techanarchy.net>) NETexecutableMicrosoft - (malware-lu) IsPE32 - IsNET_EXE - IsWindowsGUI - IsPacked - Entropy Check Microsoft_Visual_Studio_NET - Microsoft_Visual_C_v70_Basic_NET_additional - Microsoft_Visual_C_Basic_NET - Microsoft_Visual_Studio_NET_additional - Microsoft_Visual_C_v70_Basic_NET - NET_executable_ - NET_executable -
CAPE Yara	NanoCore NanoCore Payload

Tools: PE Strings Gen BinGraph

Strings

#=qoTNlk$Wngv$bqPRyj4mJig==
Environment
#=qKraENZVscKMtH4GMIJjzqA==
_Lambda$__2
ReadInt16
NtSetInformationProcess
0csX=
pd.ir/
0z-a6
RebuildHostCache
EndPoint
Random
#=qbwvWShVSL8DgrXXfPQ9kNmpf6pmcj6q57bPfcsBp938=
WriteAllText
AddressFamily
#=qZ8pysPk74rQ5GX0s5CkOJQ==
Int32
]g0\c
FdJJB
maH/q
#=qYpD2x2QTNARNJcnXxG0OjQ==
r#$S-u
$\2N(
#=qeMVJwq86lZc4hsNJNMQJVYiQqG94mfqhBGc9gH9UUgM=
#=qB4sApeDyjGxBivHLwR3FTJejGBlbih3hr3f3TS7BFbY=
N?#H\\"
System.Text
#=qmcl1D6lgUOLuKGFFyxMamg==
FileCommand
#=qN9Enun6Rlq30xNdBjhzY0A==
#=qJT4I5hOweIk$xYFEeDszbikglXCuquUd$v9AXtyq2ns=
#=q4X5fhkJm5XS4LlpLIyB6bA==
add_Completed
Pl3SrvO
Uninstall
6Im'@B
#=qq_SehjaC_F9U66vu1NLqjA==
#=qL6PdpQwMNSdyVKw3FgboNw==
#=qPfVuk6552RtecCgHDnGSkA==
#=qkcVkJskuGA4o7kGuN79i1w==
#=q$6NbEg0Hb4neXdXPgEgHJA==
#=qd8WIZO8f6IRqdUmvxawj1w==
#=qGxD085Z3RQaUY4iGwWH$xgEmRYVWDAN6hxNjaXokfVc=
Q01x~
#=qyM$eq2QFDjIwNzxtrtw3WE5gHFsUOsREqnRunYWzTvs=
ReadAllBytes
FileStream
MemberInfo
h"Nv<]c]'
get_Width
#=qCJD3QzeNpOG7t7hUNPqgxgwPhMjv4aui2ikN049iz28=
#=qzRcQ_b8FoTlpKT_BObsgBl2bj71wU5HcYdpIIgiTJ5c=
#=q$njopRrPblqe$yrs$rsu5Q==
SpecialFolder
#=q5QHPwKvqpNRA$cKFBj8i9w==
#=q$YUIMaEFO5IFZXBvo0kclw==
DebuggerDisplayAttribute
#=q$yU7aYEYOl8Nz4sJLGQQ6w==
#=qh42qYul4hj$aa5mluadvLA==
IClientLoggingHost
System.Security.Principal
N-zQ?
UnhandledExceptionEventHandler
#=qaWedjkiL7CWj9EfMXrEg6Q==
k6~$|
Socket
#=q6tJHosKuF0IY3gGxjaveNw==
#=q$P4U7B6$qbq6QJ_QX8MfyNoxYRq3foNT$OZzr5yEqDQ=
#=qK$702nkzQ4rQ0lJLQZ2zaw==
#=qAfx0INrfgWoPN$Cz4VEZYVFcKNxFeYaixc4CaQpU$0g=
r;< L
#=q5C_es0qgtlVCNxzfPQ_idg==
DeflateStream
IClientApp
8.0.0.0
#=qnonybcfG2jzQ4kHK5lGw3g==
#=qJtsKc7ccoU8jRrRMGJWqhA==
#=qRvcNy1bY28C6xYdCX8MF7w==
#=qFm7s8q151MPpLODhzLizPw==
mscorlib
#=qMMPHzLKw8_cOGV193acukw==
NewGuid
D0E=Z
';Tej^
get_Buffer
ToLower
#=qnB6QgyVNIUL$Uq0GD3p5d7LpaFZvHrB3jSqhv3o7qlE=
Acof;
7dEt7]
#=qJZLeQthAfpiCw0QvZb7htA==
#=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
#=qRxyF5FV01AHvUkR3BeX8OA==
feffefefea
Sleep
#=q6jLYuOOmC$a9_UySsUlsFA==
GetString
#=qfkwtPDg_wfxGVFOXd$WnCA==
#=qQR2R27CtTwLSuNC54_JY1g==
_Lambda$__10
#=qFlz$$vhlrnZb7YOji0eF_QZBzkOajT0w3UoQbgnXVIA=
Decimal
Microsoft.VisualBasic.Devices
#=qikBX_CmS$ZzVAuq$nQJBDwmLm5Gee1iPlPuvI188Ejo=
#=q12n1704BGxiT9AoOoTNqog==
Resize
#=qtxvtUAtG5kwD1CbaXqZpxrHWaxR5CiRO2OiaCLfsbSk=
#=qBpzegr6XzkmtwALf7kKPHV3RZVAWYLbYE79PiG2zXYs=
#=qfsxP7vyadqL93mAkiQXr1tsUC0B$7Gp0ZNAPpjNxIG0=
#=qN9oos_gePS4akhGX5rjcOjS2FNZJlTAkUnO0Ykgu7Rk=
#=qQyvT61RAfdEUvn1jBvcx0Q==
get_AddressList
A}p8K5o
EntryExists
#=qoGHQsKlZ7jK$YeTeBpzDNYYM4Z1FIrOpXaDV$VTAdfM=
Process
#=qHamFicykpD9fQKnU2wtqJw==
I!4M&
#=qWaMf_MISHPEu34of2Bm5$ay6Z6PuaGN7w1jlKYjzwdE=
~BXV9C
w0%OC
Qa"Kr
#=qlV3FbiF00r5Vrp5nqoncyxDHZMuHB7yuJa7xS77K3BQ=
07LJ)
#=qvPYkN4Wli543LScsy6rh$bZ0bDIN0tYd5zlNUibOEKfBRc13v6NIDRtsxPOZzKpX
#=qE8a8ikTp6zyXXyhNYzK8Wg==
#=qScWgGHvDwJ0da_7qXoO28aGE1ea7zp5$XjEJLTXkuHQ=
SocketException
GC'A/F
ResolveEventHandler
System
#=qKxYY$jYG8_7mT_7R0n5jfw==
#=q5s6lzZCgRNNe2Z9HZfa94HOHkpUfSnAwZsGo$hzh7hY=
get_ExceptionObject
ReceiveAsync
#=qksh921Ur22JKhSIAXESSag==
#=qwK7$pNtMfqKNZt8gGYd$pw==
#=qEoM$dAPD9j9L1YOZU2B97iwm0vZOJe13LDB3GayWQEo=
#=qZ79zrlLw6T9kJCHt$e306HkmYpQl8J1ugf3bmy8tycE=
#=qKoyC_0Y6bPLCPvDcJr2y5A==
set_Verb
Ir]$T
FromBinary
#=qwSPuuWVW8tz$gDazhda2d$myXXX0Ro_wRP7Rmm8JiiT9wA1EeeaPUV2jnUkQOCHa
1M2/a
#=qiIt1yNcUYn9ksB4loCZmUQ==
<v7F:
GetUnderlyingType
-$& ,'
-p&~C
,@&(\
#=qwdHHpd7UWv1_2lcOeunA18XKUsrG9D8S$xli$tkAMlI=
#=qp7rlpRCprgGh7RCnHteaLw==
#=qU1g6m1CiJ5yzLECox1hBrw==
+u^Di?
#=qkrqC_kLD0I$zOgfqD$aGaA==
ToInteger
#=qaCmGqb7phy5lq$DAzhK3vB71XCZSvhKm3BtGKq_xBto=
CompilerGeneratedAttribute
#=qXfm3QhQkyfcZgbFdAZgHHmadm7n1N0mfKcKBqrdfAk4=
#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=
8 @=,4
#=qzB1OZ89gRpxcPckUn_afNY2d0beSpEyl40_4IarIxzM=
RijndaelManaged
#=qgSHqO_KLHRARFg70SGn_Mw==
0D2T)
2F]QS
#=qDx8yS5wU6EQSawGC841xnw==
SetValue
#=qJe4Aop6J2k_bK0f$hS3ZOQ==
LingerOption
WindowsIdentity
#=q4KMIX0AcXAdYuUiSKvyy9Q==
aLk|W
DeleteValue
#=qbOmsEb0zGpdZukI0D4Idug==
#=q23tIFHA2cbwzlg6YDYhwLkXCJGgIhllZCGmc4pRC8rI=
#=q1uJdtbJoEKhZjOld7SeHjw==
#=q4N2IYJkFi2VWiCVDKVND$8gixU$DXUcX8F2LiLBxLHw=
9'imFT
#=qzjMBSDJWeEdkUWCBxYatrQ==
"N$9#
#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=
#=qb$tFKVReqZMI9M678cKWGdlE1UJqJBfHAfOfQhXuW5c=
v2.0.50727
BlockCopy
#Strings
afeffeefeffe
System.Collections.Generic
#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=
"G>g{n
Bu=V&
~v]_yWs
#=q2dXdGRU_h62YVIUhgXBQJzEnralpXNvp017RQs19jjo=
Replace
#=q$XurN5kwCvUuDGDncP4myluEGVmoB5AfvTb_Ct0PT5c=
*LD\!
#=qWcYPgOJASLG6mRBDPhOIZERKO3Eig2IiEWCrUa$w_Mw=
set_Item
#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=
#=qTfMnD_jfiITiB95ES2nWdLlDTdGOSDVgXEnjKNGkWcM=
#=qxb6WVOMh6wjcZFY_Q0MJOQ==
EndOfStreamException
ToBinary
#=qUWYBucdXrqr2Ksc_3qKZcA==
]a|1QD<
#=q97ilq24aAenhk$hG8MzEMQ==
BuildingHostCache
DirectoryInfo
Lq0M%sE
#=q8r1xTCj7grAlhMxU0cmrbA==
value__
bEpVvV
#=qFv$qWif57TCUNsu_O3F3gA==
#=qSYke1CBEgOP5WhDQ2wCOhA==
SuppressIldasmAttribute
CommandType
#=qTSoRMaNGYiiBNK9Yfq59T$2z3sNScYh9uxoeWlhnD_A=
get_Hash
UIntPtr
#=qJY6uBmA7bjB3pfI3CAMZ7w==
GetFrame
#=q8Lz$o21atQxw0qUwF07ufqfk8jjJrspNc$L9E2y_kjQA$2GQzuj5BmjDMXRcd0oL
#=qkcPDXy2$GrSLn1ykhNxS$A==
#=qLJcloNvItceT7R54Ssv5HVCoj0j2JUUq_dQXQpFZZjM=
#=qafzQcMCK0eVSctI0IcD2PA==
#=q5W7RemVArrFCeEyFuvU4Hg==
MoveNext
UInt32
#=qV4bSY95FY8CPz8U7EzzkRg==
#=qUaHlQloQ1heHsricyshXiA==
#=qYVgYkiAmhdTmisXUMVHYlJUHzcBdggj3Sn3nLI_MDJ4=
JqQM!
#=qulZN_JfMbEqc2jFbEooALI6mh8tLy9$3NFedHEXAIAw=
Gv1\y
Assembly
G')UL
#=qUbRtqAPcSxRMI51YgNXGZ9omJvV5BvuqBNocgi7xl6Q=
#=qrIbbxniIme2qLTdRw6i0wDoZFMH5BWs03iMeSnjojQU=
Z118N
System.Reflection
2XgO"P
#=qAoRzrFi9HiHjyPL0ixkVXA==
#=q0QKFCbf0u_IpV5ISOWOl$Q==
#=qr5qpvOPnLxLp6aGkfAM7wQ==
WriteBlockData
#=qIZP8IX60gSYF82kuZejmg8pOoXfEBczapTTwgrWM$fM=
#=qrjPq4iPb$PLckcObsgRE1Q==
#=qH7CAcg5aycQv61Wo62XDpw==
DebuggerStepThroughAttribute
#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=
#=qJrzYsTPKAwT$ubz_aq99mw==
Int64
#=qtBt$1AtaHrrce6fc6LOT3axuBNxZ$SQPty78qYGi1os=
#=qfjs2lYYPRWKuXjeHrc8Rtg==
#=qbUu2Y2P9FL2iRkWyb62gww==
GetCustomAttributes
#=qul8YRvQj1pWpo4_UxgOSzOBvtncEE$VPCzTeLK_rIz4EnXxineVkwF$lTxruKPxr
IntPtr
#=q91nKS7P$i0qKCqvUAPW9EQ==
(K(s2+O
#=qos7yzAcb5jR$ypc0Qk3OWQ==
#=qw9FR63zXVj$omVnwg0u37A==
ReadUInt64
#=q$Rh_ulnlhN$9Zn9n4fKAsvWT9cisaHT_PgvcGANnd6o=
w,m~+
&&*}#
#=qiCTCgJQkyH_Kzq$FT43G4Q==
#=qCeJ_QwVb__fbuEImkTXwSg==
#=qURIxMOG0HImwEP4A6zEiPg==
#=qxQTn_t1ZFKKNm77mQ5vH9cInicm2Cv9jGtv9vmIpksI=
#=qQLqXliLS$ujl108DGV7$zv9jo8WyYr7oxBJvAgzllyk=
GetExecutingAssembly
#=qqIzVXHiNuUY4ZNiSxkqEGQ==
GetTempFileName
_Lambda$__5
#=qEnv9WsExz6baZJKRUDupw9eEQbgJVjj69NjcsJ7hrBk=
uTL="r7
#=q6pErmyx6x4$YkotXXEXGCt_ysi5JdNm1fpNgnUvZ9LE6EtA8E0TapqXrPnqyBO1x
#=qr6ouJTA2RwDm_3Z$eUP6TCvbpSA$yAFGnut7D4kG2$I=
#=qjM89gxwDLZ9izFxrYPCtcA==
wUFU\
EditorBrowsableAttribute
#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq
get_Offset
#=qyxpfolLUhMvFTDE2h_syvQ==
GtXAv
#=qAp_zHqT7acjq$QNiBoq2EA==
t]0R#
#=q0msvLo3fKjQ5ucIFxkdur24Cc0tFDGimgcqgtAeKZq8=
/%RQy
#=q2nHH3haw3R0VWVw4qHOwKw==
ConnectionStateChanged
#=qRxKU0X3UfYwXoOTtDpEVW6z4XRgE1s4V5zOQsfCCSqM=
RegistryKey
8gxrZ
#=qwogjI4gN1imp1VeWLroXTk41PgYeLQ34zunh6NYu_3g=
MyTemplate
#=qm5VvJvLZD$UcnjvypC5XcA==
#=qtWaDSiZ3KDHpQtSfxDZV0w==
e>!q9
#=qbpvfREN3OwaXBj6J3WBAim$AQyJ99fz1ef01qn6kVrs=
#=qTEC8gcgkt672qW159Oe_Iw==
StartsWith
Rectangle
#=qwNkTTorgPauZQTT6jiqLIA==
System.IO
get_ExecutablePath
#=q$c3lXLbhl3Qzil6Z9hYEopCTRdsG8WE_1ZuhF2KQELQ=
#=qm_Podb$DJ6CfxMwMnaj6heXfc210URbSx7p$rJGFPmA=
GetFiles
#=qay$wDBdxvh$MBWrC9YMhC_f55kIvkv7I_BjPu_7Ajsw=
#=q8NzetUGGc1cM4ZGyRGGlug$fKAOwmcPqe4nFzDGKLk0=
ReadInt32
Y=)Bb{ ?Y
Remove
#=qTAs57ZkYafcLC2FZLCGAiQ==
K*$ T
get_DeclaringType
ExceptionData
Format
#=qvX$J24rI0eJ0gWfA6CEdzVJN7bQN_YTuS98N0yyMYPo=
#=qLKYxZZVHP8wT4ocBxnjPXg==
#=qTLmFjOt1Rq5$fqQEFVZ2zg==
:9 y`D
#=q3S7bY847GmpPliI1m7tZaAVifJNdeHclZJyeY2JTxN8=
ArgumentException
#=qWQUgmvsTzj15wSjWQHZnng==
RNUt#
gXtD[
AssemblyCompanyAttribute
#=qfvzoVBS4j9KdxyngOlL_NauqVYLAaOZVw9dutKQSAp4=
_Lambda$__4
#=qO7YVPb8fjfyGw81pHcJjnw==
mYMn|
GetPublicKeyToken
=KTe8
#=q1A7nXYgjUuxh_0aV4fZMB87On7HuSdbeS8x$mfXfW2c=
#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=
|W[bO
CreateEncryptor
8{=|y,I
#=q5OunwTi_tYTGCTkAtZ8rARxlhmXbFcAf_e1GiEt$FEA=
#=qhWn12I_bGxHfrIrnto3QAA==
IClientAppHost
#=qWgd5i$rED0nEbfExDCteKBL09U6dKm2BW1AXqZVXCWk=
#=qjlBNihUiUO2oBJbOEbdB4u8xmfTL9EQ3AEFa$nrdzJY=
#=qoTGj8$mBoje$u1RSJ6obYA==
ReadPacket
-#&~7
Int16
WaitCallback
#=qlIUFl2SBYSRov3A1WGimWQ==
#=qVEEdpD96A48uRzPJT7G_w60gIZo4tH1_e21GoRWPFm8=
#=qChPTKc$8xcHrcle7anHYNe0wH_TweGkex2nGe9n8WDs=
n*kWBzj
#=q8uMGC19QD5WGzpkzUOu0SQ==
12BT{y
Disconnect
PluginCommand
AssemblyTitleAttribute
z~$TI
#=qXO4A8$YrN_OoPhFOn$Hhtg==
3aHsY3
Dictionary`2
#=qLSPQZXlXixhGX8Gd10$ph8j0p3_XdW2xwrfqz3nO7MY=
#=qDJlWEiuGwuVXAz8yc8z7OaMssRYN4hP9AHespNOmdYHus6_1XkNOC0rqgHeRZksg
#=qhwyNa_lhtuoyuJK5j3BcF4xu5fY5XhFlgzkM1Cgy6IA=
Dispose
B.rsrc
TimerCallback
#=qzRf5_jFnPo03SqY9Fq$uTg==
Queue`1
Shutdown
XZjjn0e
#=qhiSO75CpxncaWptyc0vAMQ==
#=qrPQtMswclvOlK1AxL1S4K8M$owLGUpQfjJA8CWW$fj1az7m8LFibY8IeMxHKi4wi
ProcessWindowStyle
&&*}b
xL;ssv
#=qFZ8xm69Cd0C55Ip2ORf7Ng==
-b&(?
#=quFACL_$e$cUEIexpzPXS7w==
/voo:
#=qedcCJsW_6aMZb5lO3tR01A==
#=qraB64nHTnRXCE4d7ffs5aGExarxpEh0COAPaEFI5iV8=
get_CurrentDirectory
#=q5XjI6hZlPIrXq2h2btB_pVJgDh_o3RXkWrFCxLCG1E0=
#=q_$JrmDHg2uq9s8cQVRi8Jw==
ReadBytes
#=qJqkjp9g96yoxpNS2E$BC00FKleto7dZfN9N5mtLDF4g=
#=qszlIp3ITaFi0VCgRIaErNg==
GetBinaryForm
Yaa*&+
get_Y
#=q7rZvZ5LmWDFo52hBeGb87g==
#=q3LvM$oW1poDdLKDT_N_s4w==
ToCharArray
RegCloseKey
#=quOBOxPeAl_kjKKx$REI6dA==
#=q_NLac$XJ5lIxZMpXsr_nBw==
#=qOplsUBML8x2xteEBilOycw==
#=q8Bp27fhtrXMmonNxf$9qLbuQQehIBQTdOPDQw07FUyI=
#=qFMsFc_zvkhu_B2YTPJt9Yux7Vq8aZNOr3FA$mEdAzCc=
\;-_b
#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct
AL7M[MM
get_InnerException
#=qgCcrNFC0iLB8hKTy5iNnsw==
Marshal
#=q3cm0QwDyNYr2y$xvkCk9bGbohRfuMuxkahGwLy466GA=
#=qyzEuYsQ6u9hwZeR0HeWqvA==
#=qf3c4WtE$$thN5QyBMvo3u0lth2VF5hmfUsIv1r8yRkg=
j:.M*F
#=qcDgE7pmQv6niirKxFRMj7Q==
SetKernelObjectSecurity
9+,Yf
WindowsBuiltInRole
#=q4d$NdpGCMcL3TaMlT9EW69FacIvNnqDPMFNisgGhmsY=
GetKernelObjectSecurity
ValidateBlock
A3Q3g
#=qRbDxNN_CBpjdn11hjtWoZg==
_'5-_
#=qe9p_PgOCiouYWahOSDKth00dr9CdsTb1R3DYgCeLUBw=
#=qsYpthruwyrknxFdWaNp9Vw==
CreateDecryptor
W;Est*
Conversions
ReadDouble
#=qdzx0nDkNduYsJ$MOZBFb6jelzyvbyiG7So1vqpZnVLU=
-'&~C
#=qCN8q7dxuBuds3rgIjZ1oLA==
#=qBcRYABJptno3$fpXoMXAvg==
#=qArVl3RpI3eEiVf0qXoqrWw==
#=qk77uxMCXAcR_2KMKgZiSng==
#=qd7oUKLFPI9nt8Ln7RU53xA==
CheckForSyncLockOnValueType
#=qCKX0qzAtjLAL9KBPrJWkOA==
#=qXzNbY0aXEU2Rr2_Jbe87og==
ThreadExceptionEventArgs
get_InvokeRequired
#=qu1CivWngdicjZHEJYKM3dA==
#=qqLLpPwpASXA1wqOuY2RNlU8CTc57bQGBfHWaLDgrCKM=
AssemblyFileVersionAttribute
System.Threading
set_CreateNoWindow
#=q9rN$wEdl9rzJbAMMIiemCg==
#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK
GetBlockHash
#=qdy_NHDvN7XTcQtWWMYxYKbuJqtXHsYJXM_YUEvVR0bc=
#=qyZOtLxFf9zA2x1ff4_5cOg==
q]`sp
Write
#=qxUvHfLZKZiUmPXUqPV8Vcw==
#=qsAejPkl5V6B3npq6homyUA==
Microsoft.VisualBasic
AppDomain
#=q$bBbU_xpGfMMkAvp45SBRg==
!G,iU
&Z;1()
#=qZiHVbt3FXowK6_NIyOxsOw==
#=qsA8D04owIGYHILF6yPa43A==
#=qtT$P2Bo4VHFu60OU4VLf1H20c7M2DlURuyfb_XJDYaM=
#=qstAyOBsDsJqFRKDvXIn01A==
#=qWljP9Wu9miiHAG26c_L7NQ==
T D #
#@"E<!
#=qGqLDylJy8NmMEbMDJmKtoQ==
#=qvLrEXVjSw17e3P6GFPALhrZXcKcfxuk0NupQhKFf0VM=
#=qFlM8LWSzwV9qMKMd32mVdQ==
QueryDosDevice
AppendLine
#=qkWUjAoA_6r2E7qo6NAGuIBq3iKikqBJbioTC25CcZQY=
#=q2wxuRKC7TyzyevfrmeuJ$w==
#=qZFVU$VkNPSWYii2AVQe6c6mwAUd10Tgqkl1$K5gZz9Y=
#=q63A3zH9hQ$3c53x2wqU0Qg==
#=qEqBb19ZxrWpMC8pwAc1v$Q==
Hashtable
#=qFYv4oSsEFno3Ujev9_o4Hg==
#=q6Xi08r0$lOOnXtoBHhfMuQ==
#=qfOXLv$ej4ffVoa9QN8Vke8O9DCKhSHEsi_sqFk8Qf0o=
get_Day
AceFlags
MessageBox
ToUpper
#=qVXB_y3eN_sp1$Md9UoJeYQ==
System.Drawing
#=q6uR3lWd6_aD2reKUDlx$OA==
#=qEIPcndOLrV2GJmno7zKtBA==
Details
ExceptionHash
#=q8T1neNU8Flp1WaNsBKnRHQ==
#=qfPf03rjJVGFkLtYSr7zDRw==
#=qUUt$Zm9DEy7746wMpw0nOgKcClljRPRKWyhQ21GyaOQ=
#=q2X26s_rFZ25AY$hOcf_6zA==
StringComparison
#=q9heLrZy3cpWSk7do8VVthg==
}48{w
#=q8McCIarwH$XScVz0xkTmJw==
Combine
#=qBhG6LJNfmJspOR5A5YrkZB3a_dWOpJYSj4Mo9vfL8qo=
Create__Instance__
|,RA/
er|E0.a
-'&oN
#=qDOdV5duF980CDFSFl8oQpw==
ReadString
Client
Object
#=qe5qrWacQXGv9g0P5D_mRuQ==
#=qluYNp43cwlAh9yLdLZolDw==
#=q6Aboe3ONIkez7GgqcdWPi0_vrT_i53_89HUeagGM6MThXvFkvl8hpSeHO1UJawKN
get_Message
fefefeffea
`jf|*B
#=qe0mY$R_rBsPIZZv3hPLS4g==
-O&~r
F)&*f
#=qKYm_FHWoJ42y$VrakLgWfw==
V/FBx
FindResourceEx
Concat
SocketError
get_Unicode
#=q2gthvB62n07fYVTx5fwIqxBAo1t_hs$il9Ac$4FY_Gw=
GetInterfaces
#=qYMGXxffne_DlG2tyCliUw119RPUt2rJt6SWle_TPkBA=
#=qCgskv3QU4cEy8M7hqvNNBbFyow$DvbmSQrN8A5JJJWs=
#=qgB3pFGrOVxm7f$sXZD67nQ==
#=qQRAhbbFlVBfqrgso8zehPg==
#=q3_xjz98EYRXgLslROl8imQ==
#=qmuy0ee0GJl13ksvWRbOSbofOCTPf0dv0HYdjJq9H_Es=
W3cuP
GN%UI'?
OperatingSystem
#=qnY1InNbQmfgiJXdGVH6rvQ==
)]}8$j7
#=qYI$MiBdzcplbf7GqrUf7Ig==
fefefeffe(
#=qyEH54IW$f9fUJb7FOR8r3vj6e$onLGrpm2VGycjbl9TZJEqkwtA4y4bL9ExOWpiA
#=qMWVV4JCreo65oWvwYJqZWobqlgJkr$K2AUIqF$weF5s=
MethodBase
#=qw39MYiiaN1XJbqsDq$LgQw==
-\&~]
#=qg9gWuHgvaa6cHg9wj9NSQQ==
#=qr9m9EjuYAP$2E3p2xadfFhcTH6toAhrm0dlfOTldiWRsdXd8UmnkRkYrV_8$1gaA
#Blob
#=qzTUdhpx_l8oNrXik8Q6a51kZkIp$waiEMbjMOU1bFOc=
#=qABSlSWKh$8sT$UF4sG_vQMmKqh5lDRXHlL1yCp0W8x0=
#=qw2XWrJCQCyTO0Iwdbz8TWw==
AddRange
#=qQ3JMSE9km3mGmL6lmUfRHw==
B%S:0
#=qEQtWieYw8BPdEE4hbsjTLrq$BwGjJOBoaDYJmV9xVgE=
#=qtIl3MhjXHsnCHvTVFi9hFg==
#=qfozjXlIKX6LyHHXB6wCG9g==
#=qjIje6jGWLd2EOkfZXKqBbg==
AddHostEntry
&&*}X
#=qKdZKgyAqL_iP0GUSJkXePw==
ffeefeffeefhah
LoadResource
get_IsDisposed
#=qeKiN0Pwa0MwkK0uB$Ook97TrMQC$LNj1jgF6xTuSA2g=
add_UnhandledException
#=q637XAKKKpMW09u9r97v4lg==
#=qwGMLoIBYlotM6E$y2KTAuQ==
.(oGu
2#cKX
#=qeeDSInMnFASKK3QXGIKUxuxDb8FgGi0XLXRlZ2oJdWM=
WellKnownSidType
get_Port
GetMethod
$IqT4x
#=qehEpCuPIxZRbHczlt$dAWi4yWi9o1_noSvuo$Wzvtyo=
#=q0REOJwjO1qsE01G_RQE1TQ==
EndInvoke
#=qPNzwB3EyeKwH$TwKjEdAjAC6A3IlGhANCdkUFCgvEiw=
#=qpXfSNxR7J3tqOHyqT6s_Aw==
#=qNz_Hz8DMWPqA8pVcg8d0UVymwvCurvyYgdZaMK3OhQE=
#=q0PMcXQJxcLLr1sYO0fpyhPjUwjQtInL_vJPQSgCsfio=
#=qO$LkcjIVULy0PGjvpOiiEw==
#=qyc0YQPNqWwZHkgNDV8lyIQfgMkEbGZtyDsLzhYmFp8w=
#=qhFV5jkshUI$uRxypI6oecQ==
#=q0pfW5T3uO1I6LyXSPFW7Qw==
#=qQ_BBkbckkXGbXV1nE4Sw4w==
#=qYiXVlu3YVR5erIxfIIBHo1Gv4y4z4vrtnS$$9CALbVE=
#=qhq3FXVXLOItNPwDlpFnTKHk3JkInaJiiSE3uR3jtGH8=
sZjGi
#=q1AWpt7Zq4Tx0wGx4hVFZRg==
#=qhg8oaKg1xx$HC$DKnlbXQpibwH2HXqMGSlGv30vEUsU=
#=q66hvvPDVbMv$MYStXtnb6Q==
_CorExeMain
get_ParameterType
#=q__Bys7JTXmAiG9F9QC$wjw==
Ec-D+
get_Position
#=q51SFR_Fbl10nUMKjGTtHqA==
#=q3TG8MLoZf1Y44PREVW$6m76IGmuYE_BOhC_OTjkQJFtYWwRtSeFqevP9hiteuLfz
I=VOEQ
A%CdJ
{uT,;
#=qmbdg4P9$2ouafwS8nEs4lA==
#=qudwGeEjJDUB9pt$_k0YOgc30ZWMo1bIGmdknk40OWog=
fefeffefefea
#=qH8FTQLBlM6o0t6zf8SLPUg==
CreateDirectory
#=q8SIEDcn4WoT9RcZmFK9tzQ==
Rk%S(V
#=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA=
#=q1jj2Lo3UBKUZkdI2bLcg4QlXuNGNWZ$CYnK9VTZNEsA=
#=q8nWzev5go3NKhN5Gk9NzTmM91eKwrK00n3U6GWmH8Kc=
#=qjYgYU6Lnx_W1ikVtBmjm3w==
&&*}&
ELix/
RuntimeHelpers
LocalMachine
7S{$I
IClientReadOnlyNameObjectCollection
StreamWriter
#=qGqugi8s64S3wxXEod1SSyA==
WaitForExit
#=qV9UIxiLyaOi7XoTx2DUJwr8Ior26OirSZwM3mOvftrw=
(L^%a
#=quO7UmvJ4RBuIIChSn0jx_M$HL4rBuRuRZnNBEMlpsJw=
#=qxWNhTH3aUmlSLTvydVoCIQ==
Boolean
#=q4P_5NYDHZX9MPbDZuNFOAbRpAmJ2c_TFz8M5ulhIFApTRNfzn3_E1__1$MVw8$WV
get_Major
#=qa9HOmSrK7mjt1ZxVRncCgFoJUA6N3DmB1Rc$YUfcSKM=
#=qN1bIi$08taNozgdgDWdXVA==
L6&.x'-b\
S8>G[r
#=qAM4ZJ3aDwBm_a3IkqHxLmjdKzHIQbFeE9thLHux2o6g=
;W;dP
HostData
ControlFlags
#=qdZqWoaYN68rlMOX4HkTLdA==
#=qru2ORBLxmt_CUDya_FEQGA==
AssemblyDescriptionAttribute
#=qxWp4ETQRrgcfPChnmxhivyMmb5p6MuyluC9Tc_Mhkec=
fefefeffeXa
#=qVQoZlgR59_v4NYIa4CBPQw==
#=qVHGoZQC06Wdz1fJDKkoeiKu9aci51znqNtMz8dGZQMQ=
get_LastOperation
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
-(&s8
ReadByte
#=q1tLM5Gk001IDETj3RhJ2ESaIo2XgaV2vMWhqISqSHy8=
B/ (h
#=qRxR4aJg8TX8oM$OpeoviZQ==
#=q2V8VN1ZqnXOBhkZZr6w3VA==
ReadSingle
#=qOxeV7mwtJT4AH3HtBqNUXw==
set_IV
#=qzx697Szk1moqO$yUynaioQ==
#=q2XZFEYqbf67s$PRf9Xyx7Q==
*jWtr>g
#=q1abXKhVCyzVldE9ra9z81A==
#=qgHxgiBgB0FhzEGOOs2Dqnfh3XnJ7nEmajCNqRqFR3Fg=
Yn8fR
ValidateSource
t!\4=
#=qA1_qolTI9aVdwnEde3ubqM6zKBigTZiyb5_iHpeZQDI=
#=q3fzZpU7POi9yYKua762KimE0tXDV2VRrjyJcPuwXgTs=
#=qxp6ct4JGLaMDbwg6fkrIEw==
#=qCA$7lFkUlfYTBh0Hp6uY4w==
op_Equality
ClientLoaderForm.resources
/:?MJ
fML2;s.
-!& 4'
#=qRLk0VFphuSTh16H1MGZUv_HwKU6b1$OQZ0l10zUjPKU=
#=qbbSw65PC$nto6DJiWxTawg==
MyGroupCollectionAttribute
#=qA5pFz5LZPgfUa5zon4beRA==
Ev"7V
ParamArrayAttribute
d|x0_^UV
<generated method>)
HrDOu
SU+oS1}<
get_UTF8
ToString
#=q1t2nN1p2nWkytA1wjQ32JyClWcTGIZMOEV9XOIYf1xQ=
GetHostEntry
`.reloc
#=qoKFLFqm7bb3VWsU2QKXIQ4_6anGbTCWiZAfrNlgq8fc=
#=qLYpbsprg$ymVLeNEwEpYlA==
#=qG2DPieaEKCS$j6T6yTf$qg==
&&*}(
&&*}e
#=qSyCMza09ItB79lrZlFBuQQ==
#=q$mqGRbJ2J2TNgadoLHYnIQ==
-m,Ol
#=q9tI5WfBIFIPW_84mZnHV05cJ9fSyOCl9wA8lwPxs3PQ=
NfefeffeefY
WriteAllBytes
#=q$XxqrIH7dyYqacMzR_CjGA5JAR0vUKiq1f0DFqS1mcI=
add_FormClosing
#=q0g2hVR4CYkiIvLHeQL6tUkW2KQhRibG1DIo1pReSOj8=
ParameterInfo
#=qWbDVCvJRlY$nWsVAToK13K8LD9gZFcJQAtBUvjDEcyo=
cU1rK
SByte
#=qQ9gevS7b4oTsdxtV36c3$A==
#=qrWKlHKCxTKueolOR4ohc7D_cBhjLv1zNIcftgcigaGU=
#=qKxL6kQaUyB_6jIG3mQUGOw==
ReadChar
<%h`:
Start
#=qEbf5uxiH92v$7mL0TnmsnA==
#=qvJ_V3lJRnVEW6EI74n63zg==
#=qFxElXT3T_$sB_0gpbmQGIA==
#=q7wsNZ$btlm7uRzkYXMkJl8JrBCKSYJt4if2WiKQrObs=
#=qYGU8a5KOsYzqpvljkWGWKuQS9mZuJYQa$8g5J6c9rho=
7Np`=&
#=qxRbSDXwo6eARhpCjqJa2Fg==
#=qEn9Mtg$AIqWbq3whj1y5N12e3KXi_NwIIcl2i$FXNSk=
SocketAsyncEventArgs
ConnectionFailed
get_Exception
0*%iT
System.Net.Sockets
#=qOn6YhA2JjwnYZ_7D0fnnEw==
;}6g-
#=qu0EIqDRT_HlTe4PqaMKdozL1lQ0SgTtqFucuF2vFq50=
~utVN
#=qI5Vms5JVXaVkwalJFV3L6w==
SetLength
#=qAySeqCaPs9tWWTa_P8M4Zg==
-l&~s
#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs=
#=qtcncUaS1HcVKUD5AEGHBokWqEL$GDDjoAu8asy_oLis=
ffefeeffe
ffefeefeffe
#=qEDU5bqS$T9T0k2xHaznuPTNI8j4z6II52ItUe0wjyZ4=
#=qXCoQdguduOewiATPKLDvyekx3X3r68VNkZOPBX9O5lY=
#=qvJN63xerlaB42Q0XUG621g==
Decrement
PluginUninstalling
)a3O)
#=qwnMPoJqYBxCKR$s5x3I3EQ==
#=q$sTc1AZMnHRC7q_PL2hWs4JIEJoo88_IAFcWtrdNt$4=
T"({Qls
feffefefeY
DeLGJ
#=q00kXQ$0a$SV9DIgRtf4NWQ==
SocketType
#=qdw5QBoXX8FR0LrkjhWN3qw==
ReadUInt32
#=q1ZcUbkVKv7wahbk_Am8y6A==
#=qJ2Bo_iSk1Tt7sQHk7C2ESQ==
System.Windows.Forms
#=q0zLeEY98tybLc8FS6iVEWjGp4MNZxETphcH7ohzBXuY=
#=q7O26Wc9N845khaV1IlgZGg==
#=q7Tql80HUgCLaL3e0n4j7ew==
#=qCSC3Khfzx9$ef45TjPThpcJgh1Y2yjEovdFzCbywzqU=
[1A@%
b-f.1M
#=qiGEsYAsOSz$jy0hyBv5MGPdLIlePpwWMgCE_Abe_mLY=
#=qHU4s4cJ8BUWy$MQH9LPGxTniDgLcWFlt1CmhZ7PNRWA=
dm(Vn
#=qoKX_5NDx$uDAqG3r2Qdnaw==
$64}!
Wj?%+
-?&~]
CttEg(
IClientDataHost
get_BuilderSettings
_Lambda$__3
Single
#=qXjNBjXFhVcOvrRAG8alfq96_gJ4jOa0wwNOaztY3QjLWnMT6wXGDzBnHuUkef5N0
CFZ5X
STAThreadAttribute
RegOpenKeyEx
#=qX52fPnzDspvxDLERxqgnmVyN3O6kmNVEBrlqQ9OVPeE=
#=qsqmAgLqQh_pOiJq5Mcf5Ii66zl6iLnAX8VtqTy$uxhY=
get_Name
#=q6oykuAaezoPWCQHwIFBGYQJoT_doGKMmOjpzn6ZJomA=
#=qORcQ89THKgijJ1sWRyjf4hLd1g4H_sosI9t_gkVfZ7g=
#=qZHoyzaJ9rjmsFI5qWuYXUQ==
b='C=
GetResourceString
EditorBrowsableState
/@I76
=sG>BE
S'Wr]b\M[W
#=qRUXz_3fP21juNHWjDYL16Q==
#=qcyp860KJctHXULF8nCr1oMRR0y2kU8XZrQHqsInbsAM=
InsertAce
#=q9rPQSTp$UBZiTGc7mKlh7h1QvRgfs0p_mQAaIRjRIsQ=
System.CodeDom.Compiler
#=qNQZrJgmZwpZh_4yrtaf9Gg==
get_ClientSettings
DeleteFile
G-(!}[
Double
GetCurrentProcess
#=qU0vjurWIhbfq4$RoGXKKVfTj5MJBenZeu2wAtoCJAJY=
#=qYGqPwTlQx5HSyCMpKnJtwO$bA4uyJcKD$pA6WpBamRM=
#=q9M64o5ghSlB001vxhTt2kVIQeNtcHtzTvRgoYr2$PVs=
#=q$JqWZLd6UPV3jmsDHksd2EmkHWISQtPlvGx8vZ7hHXE=
#=qClMnNCTDhIIGUYHmdm$xCQ==
Clear
kZ58D
GenericSecurityDescriptor
#=qikOQWBxvreUKIkKm4o4DoA==
#=qI2pAr92bRdzddapVaPVhbQ==
cqF/u
#=qHy8pXlBCL$mvAXWQDJUnVpxgTTYNWuQ4Z7NdFPUhcZs=
#=qEKdoqcCD2XVb2atXAIOmL$Gnnk$r2oNLDVsEymHbxMo=
#=qU_ZXXWlv_8PtJY9coDWiH8$dVbE9S$EoqFVRvxhPtE8=
#=qOgcjmweVxeuvMU4cvcFOmg==
#=q0qLVKF4NbQlcaunYsixITQ==
ComVisibleAttribute
#=qWCa2pDyuMnzTMLUOIIx_zqZ1n0nAbCh3XpyakFsKTbQ=
IPHostEntry
#=qFaxhQMbuEyPeOadTfKIzX7ulwKfSulnteVvHU$QDlcs=
b`h*&+
#=qS8syUoAGHVUW8$eQd6_3_g==
set_WindowState
#=qfXdNdmKHZO9pILMTQ4gUIFhfl9KPJm2rU8y_LQsTH4c=
#=q7EIL8N8VWglyI984D7TGpzIPvdOcvYIRRwfMeKNyDDs=
#=qgPQkZ3GBDc371jzhubcNPqmxfqhr7b78DNmenmuxGa8=
#=q85afbI_HcqBFOZnC0iAqsNghLb3LsuyjFtpLEYYoPX8=
ConnectDone
#=qfpNcQ8IYoPRIQgVc_nBfXzVjxVN2nY_mFz$PcDXaKKw=
#=qnk9x1Gmlq5UZ_X95yAl14A==
#=qrpluguOr5I7WIqr51cA8ZQ==
#=qeWvkoUO61qxfYbQKV$cOPQ==
raGy_
SetBuffer
get_Height
ClearProjectError
#=qCSH0DtnYKogitTpLw_M85GR1jr6BVuF$16hm8cfUYWw=
^YkG#C
-&&~r
OpenProcess
#=qKqE6jaRKu5jJvHl8RwywXQDv4h_f2ISEaHK__Drdd$M=
#=qR_QBxpRX$xZ1vjqVv0afDQ==
#=qYuHUjnyRYHZqCkKAt0jj_9qFBzmTZKte4i1ou04eBWY=
#=qAkkjpY6IHZssIsQ9hAxzTw==
Invoke
-T&s,
#=qGHv1IOurZ6januU0XCThS7E6H0kqAtBD9d30RkoHFXM=
~:}ew`
#=qOsVShdMttD8jGLf8zW9G7g==
#=qEWXagqzV$_PB$92aNfTAHdvK2qw2uvSxy$UVh0K_lso=
ClientSettings
gD];mED
#=qrzlCozsOJIqLxGzoulKftCL7kUWSuMYFdc1ca_yCcBA=
m<pb#
#=qGjStw3GYbvUue5kapeAzmPJAl5$UDUb723PSvMiCGdU=
g2pBuG
#=qtLsfqPVQ47D3cdxmiwAJAQ==
q9t;IK
#=qnnmAgQGEsJw4dsVn9gN4wJbRL4WqsDa_V0QuBPM2E4A=
get_Chars
Variables
ZPM:3
#=qQoUfP$jAQrKMjDuqm54QmA==
#=qnaTZqk95Z1a8JBLdKiF8aw==
#=qwyLCYYp4MoTtTA6T$fEOIg==
GetEnumerator
AllocConsole
!LWL)
Dispose__Instance__
#=q5j3wvJXlnrGmRnKUHr_1SQ==
#=qyow7wBpiCNNIoap9jI9L3Q==
#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L
EnableVisualStyles
`TC$c
fefeffefeef
CreatePipe
it0^s
get_CurrentDomain
#=qo5Pv9nXCIU9X_B8SJDUR_qgp7npNK2pA1rGP0GNQ51o=
#=qQJBwIjtEvP$UD5Stcfj2wASGBDPz6YiX1yXx_MSfzPs=
Empty
#=qTZGarPS37Dw3Z3Ipg_AFug==
#=qNdKVs_XU_xYgnUK9ZfVshw==
#=quXVzKqGldmgtXgVm61aLog==
#=qAR9aFFQPEovpFzvfokoGkw==
#=q61s8d6EIAdSsDLLjqchw1w==
ffefeeffefea(
#=q6CxZjTl3_v2RHWKegcqMWw==
OCiQ"dN1
#=qek1Oy3FoZ8ULt6r5iL2pEQ==
kernel32.dll
#=qvA35ZDPTM3VgF89oJb9AmWFE4pqnIDYGjeV5H4uvblU=
#=qxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecU=
pTn([/
#=qJRbhy7_BbunS1O6hH3MqZIufpnZboV6cb5Cv4qZI1D0=
MaxValue
>T2p,
&&*}o
d;<kX
get_MachineName
#=qp4XZ9Ss3K04S36I$7WhtwQ==
uHPLZI8
l.|jy
#=qMpgSfrZ_Z1PFlMpqVHDctw==
X*]x.
NanoCore Client.exe
#=qKKh2V4W51UBGXR09J__pug==
#=qmL2H5Qgs6vv79mCqS$t3qg==
#=qG8K0lOrmHWfP2KExoNv$5w==
3,bDD
#=qUDQctXsgw3eGxqcYAxP8MQ==
#=qWFUoT0l6elO8yn$hIYUL6Q==
#=qhPT6K66KztLE5cE8YZMEsw==
RawSecurityDescriptor
#=qhz4yMg0WDLwu3BJp4fYr0w==
#=qgBCfMYp3J4fCYU13EId5uw==
BinaryWriter
set_BlockSize
#=qg$lb3t6abG6vgSpzSjJlb_$AIzqYfos5cl9DWFolUwM=
#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=
#=q_gCP8hm5SSW7J$3R7xJuSA==
#=qQKYqF9uhb3QdjdrkvuxjUw==
urF~a
LeaveDebugMode
#=qXKuFJhTO9qh0nlK1iXbbSH7y8Djn0mggfIDxOoarDyE=
3of*>p
ComputeHash
ConnectAsync
#=qB7XWHK8gygwSs$Fj70FiWw==
a/K6,
#=qJ598Vnr_RIwGnHqFfQsYCw==
set_CurrentDirectory
#=qHj$POo$6pkhWHVC5cES_2g==
$m`|'
#=qAsEDmMyJR5b6o5oAn_4$qhqe51JCfsU9Gffe156c8UU=
#=qukf_DyAYprvhLsdhT4CGuA==
#=qoTZi9XCxEGJXLELWnV3yfQ==
#=qDEcM8KorEdChS9luywSNQA==
IClientNameObjectCollection
get_StartupPath
MessageBoxDefaultButton
#=qkFwCVmJ2HhZ6r$uKeVZFFfVLdddj$WEInl9bSgbErDM=
#=qEk42FAaXkrNIu2TP76IakA==
.# G'
.ctor
#=q5MtzoDWNtlkksfPTHs5qXlK2k7ZehKenYzDJQrgdOII=
#=qdPDxrK7XRQZlwY8QeW6oe0AEoOr3qND_WVi1o6l48tc=
#=qvRKdouixzy3mopZ1VtjZRIxbtiSW2GAGLD$37iVLn9U=
#=qJLXxSZzWSVDQjBBC8RxpqVbwxFaxTu3ygaLrjLvlmTw=
LogClientException
FyhDN
#=qJAZ7is41tIXMNDQIkGLgjRC15Eis_QBrdFx8JT2Rx54=
oRzq=
#=qqCUKpKbVq45Cc9OUN5wTXw==
'ljSt
AsyncCallback
#=q8GRQigucU81Rfg9VpK7PVLcjulhhYVPijYKMm9N3PJs=
r[D}E
<Module>
#=qXz2OER2RItZOjngvYurWLQ==
#=qXCUD4SfDr7DmFI64sweGXTg5Ns_ZxTOZPqBRcEKWTQk=
#=qhVWucYSqOmMmp4RgG95tFA==
PliMBG
ClientInvokeDelegate
#=qlMIFeU84lweg5Ul5iSg2vZUvNnPKw11XA1pEUQfzDeg=
#=q3d9CqFPpPy$rBhZvyFIRs_ElAFMHTo4ZZuE_g$Nfrnk=
IClientNetwork
#=q0myQQ6i89t9SZyjYDXZrBLa9ljWEUD7zAwJyyFZowQc=
#=qKY90T141DaVDQT0DHaMEr8C6aPEoolamkqMM94Ir$TE=
#=qM_mpCWjOCBlruGH_QcTQHocD7LUJCLuKe8ntf2VtQlk=
IsNullOrEmpty
qN<|8
#=qD3hoTFeBJT$SvX_fQh_aIw==
#=qs202XG_JxpBwpKhptOZhRA==
#=qJMNT6BwQKSi707UHw9_x7oci6egKjto_AgHYlITH34c=
#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8
GetConstructors
#=qVl3h61LTPSW_ew_st_OlTAm7x_6Xu4hQK$pi2fSiEIs=
#=qSpdFO0arrQmbwA1JpPKL4TCAmwZYVDNVmpRQ6ryTPgs=
Contains
ThreadStaticAttribute
j<}3N\
#=qEhveuZChxbRj66Cj2kCGjw==
#=qIe49uN8SyHwjwKdv9N2r$A==
get_Assembly
GetHashCode
#=qA4f0kKyGXTRnU4z03oji_RIPyVnvoC_BRjpESDLHXqY=
#=qL_Q_RdUm_wJ7VeVwUqRXbA==
!uE:_
DESCryptoServiceProvider
#=q5WjY_m3ubVFfbJuyu7GMxA==
#=qrJaovDbn6146mBrhFbUMbw==
MemoryStream
#=qhA4OqIvVSMpJakxtoytoCw==
#=qTYemjRfvVDuBO5lrz3Aq6g==
#=q35mMBfMcRRKrjeZsPOCz3A==
SecurityIdentifier
#=q65znFg0_234nfnhL4I8yRSIMDpdjAosbzeDfyRZVW08=
#=q_5hmJXim2EG1abw3Kju8nMffXDIbl5na4zXqclsRK_s=
#=qAzhW8LcEnUCELlhG4klMCnw00GcHco1N61RthSA9zQU=
#=qjcSlrUNMLgvZWN$58FXdrl22$0OjCpoqksNsslRtIFE=
set_Visible
#=qmLTtz8OEDrkzFTzYkI_Dg1dvKwiGw9blNcZSU_QqMsg=
#=qi3LnKomYQ5KrkAbxbJpKCg==
#=qjAD5jc_8Kg9x$NoAqFAvpA==
Application
RemoveValue
#=qNn8WS2rooUJUoMsG84mQ7PkK4IQF8$E42cyDjfL7Kqc=
*rEi/
IsInRole
-,& ~(
s%dEUK
d:Y0i
#=q6TsObh1LqPbvVPPz_YjbtgEdyXL$082jRqG42$db3nw=
#=qq2h0VNJ4eWuHP5LphH0mpA==
#=qGWcF1$SkVAOkK9Bjc82XDg==
GetManifestResourceStream
5T9Mv
set_UseShellExecute
get_X
ffeeffefehah
FdlvK
H(S97>Q
CompressionMode
#=qkzr_P52_BAWJXliKWvb8Z6oiWEishcUAemTNzwiiwkk=
6$l^b
#=qhYMTmNdkO7UsEcfduWinsQ==
get_Value
add_AssemblyResolve
#=qee1h2XwRBJvy2g__X40enQ==
#=qFNeaOBvMHuebCbgh$0IKkw==
#=q$jOt_Qd3idEY2i2z8zIong==
#=qoStPOR6UymX3IGbwW$iFxA==
#=qkxH2pC1tIcRyW8E4TCtfHw==
#=qecBuZmXKFD$jZa5T0d0L1w==
#=qwrVB2mw7gzmYRanSJvSoPg==
SymmetricAlgorithm
9k% >
.cctor
#=qGGQk9IvbDfVOJG_jRDHqOA==
GetParameters
#=qhSKaq9YW4A_ja0UC7Difmw==
#=qr1BSJWWt4_gjKhDM1XdrUmEEDWmH$7z1xaJvthJ97EQ=
2\PSL!
#=q0yJsLo0aFpSu9ky8R9f$lw==
#=qbbzTfwYbEfmovMRrVY462ipA8X_tt3oO3M_wSSE0I_A=
OpenRead
EventHandler`1
CommonAcl
System.Collections
#=qW1UvUJT2hH$HRJ6kt_DhXQ==
#=q3VDCpnvucWhkt3J6zytXBA==
#=qo8wG17V6QHcxsU4R0xmY_Q==
%2n` 
5$",q
#=qjVLlQtRAzKVOtyLrw5PhiGVVmXqMJJOsTT5DxaenWCY=
#=q6FX$JRP_bY_ZCQbx1UwWug==
#=q7_KHECinDx5vq1IBX7p8Ow==
#=qK5Mf9uxDCjwDRfyJQ6kp8A==
#=qx4AWw22LafncEy7CESjbGQ==
#=q1Ld$ycQpy0q1QvYRFk1k5lwgysKVR2tJyNFjakVtbYY=
Wh*RJ
vGUgS_
#=qVVQJ$z9bl7kHgfvJohZnMPofzhiFJ4f4yMGK7Tpp6xg=
#=qFWLbBQgFiIpy22HFbhF9GQ==
y;j;Qq
#=qmvGJ0E7$XHigSQAtHtZ6z$on2iAwFLBiFtrUR$DFhQPAtVI2LIgzNztIgPvlO9K$
#=ql4R4vy5H067cy2C3KkF7Mg==
DefaultMemberAttribute
#=qGgXamaT7IeK3DM0oRfGI7LZg7FrEWNz8CI_5MUlFEJw=
#=qo_N0HkUaMUQFRCOsgr2ciQEl_IzgJy64oQzCRnN$Qy4=
/.ffefefeeffe 
#=qFBEI0HItLMNpyOY0AgRxSg==
KeepAlive
#=q$E54nUJeqC5jURP4oCRU9g==
#=qMMkhBs_8vtf4989qCM6TUw==
N8[I=
-|{F+!
#=qUzL7S_0eXIkbwTon4AS_WA==
Restart
EL<s@
#=q9VIijSO53lpTS2jV37$Suw==
^2G&d
IAsyncResult
#=qxHMqkcY5ri8Rsxs7KCJ8ww==
#=qv1Nmoo$HMwdd1A0cX75UdA==
B##|L
note!
TextWriter
#=q4rZJEBSRFNm6PYOH7NOLUg==
#=qZbWC$V5YeersjeRitYkSUw==
GetDetails
P%GMJ 
mwT%'
#=q1t2S$ib6pQFvBWAJfG9B1Q==
Rar:f
4fN]6
set_WorkingDirectory
GuidAttribute
P!|yhg
#=qrEy8UTPh_zjKUNPlgJ2H5vQaVxSgPloAxSMCkFttuk8=
AssemblyTrademarkAttribute
#=qUlcwHJCewxIUk2tiKMDjXYc$Hb1k7TCZCyGdm6C93UA=
#=qy2xCoaL3Dm6E0MYt7i8x7A==
DateTime
#=qh9KSqT0kHBFSDanZ7gXkKb1vdDfzZS3JIRcUnMfcljE=
WGa57
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
#=q5uvtKo7rLfT5wGY5TBS4ixmbpGEL_B71rwbORlBpBKA=
#=qqn0Pbku3c3j14idd7rNOJmIbi4WueHDQGNjxpToWe9w=
#=qfGQBFs$OKLefNYKSta_Lbw==
#=qYQagvH1k4NeWsCidwFRb$sQTZXPGouROQfmoImiPGDo=
QyDyF
get_Version
@A[]%
#=qCI9CHxEGVm3HnYdn52IpdQ==
GetDirectoryName
Thread
#=qruARjy_8oZkz3lsHPGxBMA==
#=q_ux9H7Sh7a2A98b6QB8m4w==
GetAddressBytes
Directory
#=qgbI51haY38WJ4NumXDqnLC_uKv$aRHAyD63c9HgGYzlsFjikAASqT8RCSswEMouz
IClientData
#=qrcOHnfaYxPMN2$QaNhNmcA==
#=q6zjWArzQ8Jv_1waqxSeP8A==
#=qWFEttW6Y2i$LC7_zLCNdFCiHtPH1yR98w7TbmrS4vUE=
#=qP05CRmbt2pJg10eRU50wu1vx$mfteEn$pCn9SEbehP8=
SendAsync
#=qaSWqhswYp72H_CatHelXxw==
HideModuleNameAttribute
#=qrXs2l$bWJlHMZLHncLNYyw==
#=qeAiPMWOD6_wvQ4$bYsFv9GLgsem$trQFsnkw3WN9igk=
GenericAce
#=qs77tphQ2NXlLwCZkimhHsowpXGqSYmOGtKiGHHIs4aA=
B[%3=k
jz7aUP
k4 dv
CommonAce
g<fE$t
#=q8FSwXWaEOgeGW7OlBosSfg==
FormClosingEventArgs
-\&(#
9x}'J
tL/qQH
#=qY9NY2gigPsj8X4CYx0UCT2vGlqkgsq6GuC2fWqP3Voc=
#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=
set_AutoFlush
Exception
fqz7@+
X.6t%
InvalidOperationException
#=q9DR9MBj4z9rQMPU2Q48EqjtFhU8AMGWHK02_s7IakJ8=
get_UserName
cPy.iq
#=qJ8bMKCzzllPDbJIfPSoGMA==
#=q$fGRvwQxjFKeY$SH10p0pyPTU$R77VMKr3CcLFQeQ2Y=
GetBytes
#=qGzqsy60d_qAVRip0TvyGow==
7|e9't3
NanoCore Client
#=q95w9MpaG4ZcgkGgnmQITOdHr5IaLXD8aC6o3EqtE0PQ=
h-uZo
ToUInt32
BitConverter
set_Position
#=qAk5SEnvr6iWKzWTaOapTEA_BFwuNkz68xuZLTnuQOh4=
#=qREZQml1AE$F8eb3teEaUmQ==
GetFolderPath
GetTypeFromHandle
#=qOR7qPTYp9qHTyadzUKgUYg==
#=qxH0vEx09STdEljqb$W1E7jvc94T2TeZBAEeRdiG1_PA=
EventArgs
#=qamR76KZ1klLpv5s7oSbjxA==
#=qJBJs_Q6YmbNTnGoWFx0s8w==
>_<!u
get_Current
#=qtxap8xCUFH7z14nNy3cjjw==
FileMode
#=qlzCbqLxFuzycCPDZStFfAA==
OAZ7P6
}(K_3
#=qd5f1i4cDO3tAO_bEb7g1cw==
#=qfHad4tglpNfnMqZ6nFkPPA==
#=qZRkZQGrnZUWoFBVE_TP$5Q==
#=qS8q1FyJsn2_ukKh5ONBATg==
t,3!0
#=qA$TQXn2i$KwpdqxTX6vvVw==
#=qEIGjjvppBA3BShbdBfMkQQ==
#=qOKSmYE47P2z$UXqGETlnfg==
#=qbMe5UnnXEF8aurHaZz6klA==
#=qDH4GuNn5iW6RFhEPrfs$pQ==
#=qJdNCQZ8JQCfthL12ut8Zgnr9$rl3CuJQ4GAn54E6CXs=
#=qAsxHG9v$MAI6$NruMbxEjA==
#=qk$cpdn6seqbcKjxGnztc4w==
set_RemoteEndPoint
#=q5hEV9yBEvglIR94FFM9OBszK4aiazrmJrQshba2kpDY=
t'G||
#=qcCYGLZOh9EpzU$sjJG8ZyQ==
#=q79YE7jk$t8I7uIUVykHcVA==
:W40!
#=qF7qP$SJNVn6Q0z6ARFaJgM2aiYbkFhrfYn4Rl6Odj3I=
z}m+2
lWKhz2
#=qQtwc_i6uv63Hs$aOrPLxrMU9lMXbhRW79NANZrRxozw=
TransformFinalBlock
#=qDt_4RPbN$YmUyKsVRrbzrjU6uaXWwjHkaZoJAcuFCCs=
kE8a1
#=qP42Tluk0y5t5VrN_nwVhnaX9baaRq2NaLaW6RMHNX_k=
#=qrSKFiRrFo6$kUL7kjfG3zg==
CompareString
Sk}_l-
#=qdwmMObmoGgv5eEpelZDrHiipw5mUgryufdcXXig375Q=
get_UtcNow
#=qmiBgFZvSMQ4WgT0UQIJlEGkYZhWP0gsBGd1anIAH4so=
#=qKKJCW_KTAsIH3uNlP3Z4Tg==
Equals
XGzdJ
#=qDwymJFr9Z$8uhJ6g7so5xw==
#=qWrm21vQ8CBMZP_RBTwpusA==
#=qABNlGFDc7nOg_C39swAcLA==
#=qTMXjZFh8G1ehMXQzo1c_k7izR$ZNvDyCJY5aoZ0yOe8=
#=qwHAjqAoc2lT8vaebbsWerg==
#=qyI9vgsKRXHDyyks4VCAjzA==
#=qLLh1749MqIyRucx6BFMp7Q==
G3feffefefe
#=qObBSq08BLhHK8B6pYQSLOw==
#=q3p_D2U81K1hW2D54P32yDw==
_Lambda$__8
aYc9x
#=q62cZqzG2QOltpyG5v7exPQ==
[SZB+T*
#=qiNB6YyqAJbx2uPAiP1Ihw9dTNEtwaZElmpYLZcGO64Q=
PS@VO
#=qtcl57G6kPr7DDYeWeY389w==
#=qQ7tSKwAULKz8TSFsLbtapA==
p:J%,AJ
#=qOmCJCQ4xVqqqlvNEZD66Wg==
#=qTawRDksY2KFvY5V2vw1_pA==
^WFm0
get_RemoteEndPoint
#=qiJXCsKWBF9DB88uzW4b92A==
#=qo8RCFr_ecPE9NSA5cyD6QQ==
#=qQUdl15sQ0xTV$45YaAtVB9Bx2NeRc0CC_5Lr_HuNXwU=
System.Security.Cryptography
#=qw42CdKVHw2dycv8VU7DItg==
8ah J|P]m
ob+zx
r'\txqY
GetValue
Enqueue
twOk[
?}_qu
o7.<#
CdX}g
#=qeADSRAqxC2FlJbA5Uc5$2A==
#=qVqTMYHwCmwUHM6kkpNkbGw==
YV= J
#=qwGYG3$xqr6oMjxRyF4i0Uw==
get_Count
#=qRtpaHvp1hQcEDS$UubP_mA==
#=q1r$Sd9Acbw6KsKv_F9uYTPvvGAfiEwUnai9OGYAUQBg=
sLP:w5
U>HKh
#=qL2Az2fdQv6DkEBC_x$bbMA==
ProjectData
#=qWszclzYrfU2ikD2Jo7BLiQ==
#=qcfHq18AlWjOy12tBCM8Tbw==
ValueType
#=qaysgaPdcuRrUvev6__tYEA==
QI(D6
EnterDebugMode
ResolveEventArgs
#=qokX_wSaMFvPLXvDQY377gw==
Delegate
Interlocked
#=qs1aB65G6$bPi1$cdOrXkCA==
#=qFWCMyHOrl7QbIPkMYdiWJg==
#=qM4zv780c6Jc3GVu15xhaulIEjuiWD$RKEtosugOXKLA=
#=qnDLRD4lBlfyGeJyuSeq2WA==
-/&~J
#=qd92UVUgmlXoQZdJDkVvBpfqQ5IrxjaeWORyWFC422PQ=
NanoCore.ClientPlugin
#=qYCS3QLrXk$FWhHR$BIzDXQ==
#=qJOtLSdKNdNGjNNoElacScY2TTWmLUvN6XZsl_FLfP4o=
get_SocketError
#=qOgNXWEIS3IQJCnff_sTmrA==
9{i74
/==du
u]Lq3
#=qHdV5wMNiXS49lDrqJF3pqA==
WrapNonExceptionThrows
GetType
set_Key
#=q3C4Iol1nMl5AFLWNdE6nxB2_kG0uXzx35vvsn$gQzt8=
#=qdiuHngY4wejUsgFY5u7CtQ==
SocketAsyncOperation
fefefeffeefa
1.e.I?R
@Lt^GR<
!MXtjppG_
#=qDTvHA26pSwiGBDknUzewBVNt3YGW7YeSiQRH8F$_CMA=
feffefefe_-
Version
#=qpSjmalSIZ6iBUAWRLBOkQ5sPqtZAetb$LjkOVwAdUac=
#=qD_C1_4vUU8j6eQSUvsJDw_O6DZliNi$NDCaON05RwdmBpVqAu68W00hmx80mCKp6
KeyValuePair`2
#=qbzig1$2CwLluEJt5uPtpgqPx5y_2S$GoPgJP36N8bTE=
#=q3eIsVMg85$T5I_yeach_tN$TJG7$vFUaeExZx7tMHps=
#=qxLboOdsVFLmyLD939$tUsnUMYRMeFnzOLiWxQdY7sdc=
Od$fz
#=qSl7F7iXGTH9iNXHds05fxcgA7Cydd52A6vZtHH_41F4=
#=qCy_StxaanQioOSGQ9LimCF9_Wy9AMBNKclrIIUI0AWs=
#=qUomzGDQTZY7jASgBmW35Fw==
#=q7Kx5VWqZvUxLZ2L5c7WH8A==
ntdll.dll
feffeeffeef
z'7iF
#=qc46h_4WA5z0UkWODs1nwXg==
#=qB8Wn1MJrSNWupWDx0sYcAQ==
Mutex
#=qHtBOSXbLfhirIdzL218uOQ==
ClientPlugin
#=qeXI2ChPq1TaKaY8cTwWe4uWAyXSGUqAWxM21uH$6gYc=
9feffeeffefe
Gd6Y}63
tlW%7
ReadSByte
@CLg#
#=qo734_kbse$6lTIlwlz6A8A==
#=qhnLoeDP_EbzJexQQPp_LLA==
#=qnDc3CmkCB1QeN2dXbmqV1Q==
J@yz[X
O)0m%
DebuggerHiddenAttribute
#=qfoMVJHfk0BnMs4x6mHO77Q==
EI6AX
afeffeefef
#=qWsrg06gTzsE5hhHu57fJFw==
<7gc3y
#=q$6Q_u19FhL$wNOun9AB$CQ==
#=qW1Ty88cS3yMuRwgBrH3qpw==
#=qGPdnFVTlqnS4tiFpuQulXa$2eC7Pe6YqVeImkUGsMl0=
#=qXOmEbR_8DUzPz6sW4Kmd6kaKUIQOYZdTpvq2CkB17PTlG1zEUgI_P4skJXU2VwtO
ArgumentOutOfRangeException
#=q6uKQziMZIL8_PaX2KpbPTA==
x_ddRR
#=qvz1sVA0ePAgs1nzIHQTFVtjljpeJ1QO1S19vLxn8DMU=
GetName
ThreadPool
#=qOYQA1S8VHR$mOO6XXuyF9Q==
5P^Fd
wBXu 
Control
#=qsB4PatedVyMOyo9s5n1OTA==
#=qi_z83UuaQZa6UsXCAahbTQ==
#=qQqZpewiWxGMAW$tQ9Rz23Q==
My.MyProject.Forms
\GR3/
#=qZvjD49iuetyLKBIiF$ZmjA==
TxW\u
EventHandler
StringBuilder
get_FullName
.0`r.
&&*}c
#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA
#=qw1t7iX7Q4P$CBQxdhg13BQ==
#=qrQRxQdT4MC1qfwOd4n14uA==
#=qa3EpMqO3KVCTrDUnetWt6fRbeWox1uN3vfSP5v_W_wc=
#=quebj1wBCmruzAKmg6Y4Igg==
dE,1%
#=qhme1CFqs_evb4VXik7N4x7lNdqSfuNy3r3OUWZ1V4Zk=
#=qKpwDTqgBVuprqflj1$7QZw==
#=q2Xp4jW9C8Ta21HxmpVVhKkrHyOAsktLziyvL$pPr$5o=
#=qCaHpjtavBmCU_o5x0kJsKA==
#=qxG1wJpkOHyc4AD8gtAdxAA==
-<&~C
#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=
#=qui$hq6ka6v3VYA7sCjpJmcmNECKESf33DUzrmeSOmg8_E_GsgWi7VMMVWUGuO5wH
SearchOption
=wR*\
ClosePipe
#=qb0tmyILenEyH_R9DXJFwB5rGNfkKkR0Y5sGtBRsV3YE=
IClientNetworkHost
#=q9Dmi1iXzL1JAj2RiS$Q5mw==
,$&s:
Microsoft.Win32
cJOd.
#=qqRc2eOIidDtWq4y7W2lAhSyv$pBRJdAsYlXSRUcwizw=
#=qvbTNBihG2zARsewkRIFTSQ==
#=qWLKNBubktRcyu8vI4dIAJNOqajvyL7NccmUEC4QD9y8=
#=qHiBdWLOLLVg67b8lN8FRqgmYNWZfcDieu2MH9_zIY6Q=
#=qOsu3u3mLIa8ikCCuCoOv_w==
w5~~O
#=qs0qPjhSgxy3k5gj_gt12EQ==
V53W-
LXHi&
&oI#3
Component
#=qcrlhteALkcfYnKFH$UWw$HzZqj8gdN8_KwUKIC_ywUo=
#=qXuSOL4ETByiwdARI_Ds0Cg==
ReadAllText
#=qUVvjDZc2eypEDWG9cFZdTg==
#=qP6OAxyfxw$Mj0oVKCDnh2VZfwY2Ap_uDBmUyxkn98Eo=
)`].mt
#=qsOMWyP3LvE9$utIXVnRnmQ==
FileAccess
pHR`z
GetCallingAssembly
G<o*I
#=qIOX_rwHrS_RLFL2igzRsUQ==
 Toh0Mi
#=qKXWwuvxG9klNObPbc$UF0LIw0aZIk7Z0VPIncl8uFJQ=
#=qhv_9OQaSyr5PWElvgkBxFw==
Pw*H}
get_Variables
#=q_UogavoS8ANyZp2cF0B9t7qG1b3QUqGTYeTlmQIKxqY=
#=qU_UZ3uhfwWgI9uBw5HT3xA==
#=qbFnmVfulgLVjclcqmmhqFw==
5=\"x=
#=qccx4d_xNMPrZUHpmyYb7fIKkXAFa5XEyOIxXg$XLtBw=
z#-C~
#=q9WHClFSp7T8oS_DNFEbAHQ==
GeneratedCodeAttribute
^;d18N
#=qIKJSaaKraxRzi3AD57FKg9MQkSdmOqUcHNxKjSZFGkg=
#=qixBu4j6Hm11f3$mLrzkCcE4AVWtWeNn5nQguwdGbWGg=
FC^"7
SffeeffefeYa*&+
get_ExitCode
T#M6g%
set_WindowStyle
#=qRkk_hj7p4gbUu59IVllqeQ==
op_Subtraction
#=qy1cXcK8A6uRpLlCz7UKkNw==
#=q_kGyEn8KrmBmt5M1N9cUSg==
~`Il3@=
#=qSJAMGBE37IZjr90jS4_MYNWNa1$s8PXhOErbnAhK_ZI=
1.2.2.0
#=q$7KUBFuOZT85iBmKYeGgXQ==
#=qFU5Nq8bBPIPoBGBl$k8ehEhmgSoFzsflrFNnOQsCK6E=
ToLongDateString
#=qpNR_LpdLu_eSOZVgxbr8UFRlKjbiBX7LOuGAbGS07mXUJI3AAilu14uPN_kfaTpW
#=q1vWrLhskrN4OoWzxKuDDSQ==
Increment
QueueUserWorkItem
#=qyo6slTMfgD8IrZ7nr6inHA==
fKOhJe
g;d0 
#=qz5nGZygXT2sWR5FWGAcAzA==
-4&{c
CloseHandle
get_DiscretionaryAcl
#=qyMcWoZuG7jRWeztMnp6fPmxxmqfVgP7DLzGs7HeF4Mo=
#=qDJ0VTVPWfAWYghKX_DdnsQ==
#=qSh9$w8INPkos7acCjV2yFw==
VCd|P
#=q99eEsMLSp2$EVfl66Ua2d1YMqB58RPj30lLgJzJJ64o=
System.Diagnostics
#=q8xbuK7pqyq7mWB67vviBtOo1WSCccuR7xEQnGnyxMyQ=
U)~R8
#=qtS81hD$ORACBvdEkFyqaXA==
#=qxG$Aklpbf6gyBfAqTMmORA==
#=qqj4vWwKBJgvjF_JTc8V9cQ==
^XpV}A
SetProjectError
get_AddressFamily
set_LingerState
#=q02vg4rlYSKrSiDNi4xWbtg==
#=q44BQlEuOnjFd0LbnzKKIIg==
 :hu'a
CLSCompliantAttribute
 1UcF
6hl zb@
z!+Kd
#=qy7SaTx6mT2Pix1CP6ET1Hw==
/!p 8
+idwV7V&
#=qyU_gXk4hv73zg3zoSZSLhQ==
"qE0K
ReadDecimal
;Gt3Aa
ffeeffefeXa*&+
#=qpXMe_UDgWsOaRVi$02jxzg==
#=qM9NIml9iDZh$Fjh9MocFWw==
#=qVqLFp2u1the0Txg1vhieSw==
*-Han
-&&s9
#=qmzYu_D9f4dvUPauEaU7zvyNjCyGp_73Xn5SffrcfQAU=
Encoding
#=qZDHx38VzWszDP$NdqQpGo3ak_Z$zbLpODJse1_Sr2hk=
Dequeue
G5Y>K
#=qi6IJz6lHhd8GI6qygHcvTxSTD2wk_BSYwC2NR2eR0yg=
$9913da77-0b53-4e57-a036-30c0c569c99d
#=qaPkEKJmdD7BgG18R0WsnHA==
H!Y5u
#=qbYAYBaHwcEbf1CaxjAi1bw==
#=qGjp0Vb6efONwANkcKrMTkIBxJvr9AleFfJriudyTw3c=
#=qpghRvZG4ZfcsmvAYC$o8qN0WjB387Pn9cG$Y9HJ3uwU=
kVKc 
BinaryReader
#=qbmVTgf9cRSZkM_UgFSJrlQ==
B*` B
#=q3rtw1eBB$yyPLXzQW$mDOw==
#=qD4n8L4W9wQXrF7w_31K9bjmy3jeB41mSJJrYkh6lpiE=
GetCurrent
#=qdObzsTSX0MpvDi$OPjsFh219oh6Iw7DshgNWGveAvBQ=
b'^-e=9
ConsoleApplicationBase
#=qRIR1iTmdtHs$eBwEdoKphw==
dv"8F
#=qth3CIdKay4zIa5SBJzx7eA==
L=yXP 
#=qglhcKpwNlOshaHMfwiT0UA==
PipeExists
#=qFgBBonKcV6U3Je0BKZZdAZdyEla0MkDel5SRrEzLUvs=
#=qwTOYF_qEkI0dXowKJYtI6A==
#=qeE3S$kdx9R0s10U9GzzcFw==
#=qNZVIIdU4QECigaum94nwLctVkDSuRt$X4_IjuFpWVuY=
#=qRACckQ0ejzlKZgeXX_CPJUyKbl7Zu7QfhWW6eMM03VPusMYB8LREfJZQVcTGHBm_
#=qIrsTmpVUMRgxokIHlpGfmLtKeqxo7vQsjSkKUKFpH4k=
#=qt0$GxMKBUHqpa$X5z4IJNA==
#=qEVnoj7wKonGmgnYpK7PNGg==
#=qtz1ayBjdbHAw$ecbWtEnYJXs5RBd798kqoBvIJunFxc=
#=q0M0RRypoNIjajWAugf6WjbxM$GiKS9VjK_mg6sI0TI8=
ClientLoaderForm
#=qqMkZyGiL$PHkYblZrq1S69029tlEdPXkxbM_smmrcRU=
System.Runtime.InteropServices
#=qAlVTP0_ZXWJdoW5RI3VoXQ==
#=q_$06eDx4N3eSJzkchUhbnjKtHnRsckM7I4ZqcwfQO8E=
#=q_jQLaNdtSDa6ovA0VGw50w==
#=qyNgKOA3iTYvKx8QtBmkDXA==
u`pyK
get_StackTrace
#=q9lvTmS27dN6FAh4mbOnRsQ==
Computer
AceQualifier
#=qdupfYLPCEHNi$xwR52i0Lw==
#=qhRDMBTieg0MID1DJ88eKUA==
#=qj8dHXOkfX1HmIFktLFgFBNrpDhCGGJk0RPJopDOaBy0=
DisableProtection
#=qyGoc_ssbL9RdagmvuBld1Q==
fefefeffe
/mKGH
#=qMoRe_p4fasg7BcMJcnicWw==
#=qsx3W$FQbKM7QI$Z1TXWW5A==
#=qO4hvdkAW0_yOcwEk_VD$lw==
#=qaxeBDkuvv4PncQ$UM0p8ag==
NanoCore.ClientPluginHost
#=qy_aVo5ze7CCnCYXCQvhVBg==
RegQueryValueEx
#=qaRJX6K2L3xhR1w3zuwE79w==
Enter
TargetInvocationException
#=qbNq0eOj9Pw66KrsrDd4qnA==
#=qOTqiIHVN4TWDu4_xhgbifQ==
-)&oN
-7& E
#=qZuX180bPJwK7MhIsqenk34Le3ZCQFFLgmBb4sMlYIpg=
#=q1kCP32T3CbXwL6JS3UekkltOicB4KjO4W45iMQoNvNk=
#=qi1H2yZDbCxvPo0ia9nVnuw==
mscoree.dll
AssemblyName
#=qnOTCmwQWr6BtiNf9ta8BJg==
#=qOWs9MBREWujnaIdYgAI1lg==
DnsRecord
#=qjryTBW16mUfo_ItH9KWoGQ==
sUjT[
#=qSoHRCAcaypsR55EueXBy1g==
#=q0FQ_PiagXHm_B8aG8Ji9Dw==
Compare
#=qRHdMxv5xMrip5nI3eHU3Y52nJ9DhG_ImQVoJh$ooupk=
FormClosingEventHandler
Operators
ReadInt64
#=qNsyg$dsR$GJkSvK2TftGTNPuC8S809j_UmmfNnXTTOo=
psapi.dll
!ZKuwt
B1rI2
#=q6odj$nz79NlWTFUK6$Vbrw==
#=qzjreg8z0D4BPrx4RxUJBoQ==
BeginInvoke
#=qj9swjNLNpEBN8mkOlVmrOw==
|txmy
#=qRpw30Lh0nfhDryqjhyjikg==
#=q2l$b42bR_hlbzUjQTk6vFw==
qY7u%
L5J9Zm
#=qWBzgr2CJEoV4DPIbUzdZZA==
#=qWsAxoahmYzeECOO4WB9kTg==
MessageBoxOptions
#=qF4e058OW__NtTzhWOs1UXEJiHrTSwnIZ3q2u9UaLbo49AZaoog8nMfoDeA9BGVvy
get_Connected
System.Runtime.CompilerServices
#=qDJ8UKTQIGM$_7XkvuUdssA==
#=qkbMW3ViV2G4xkJU4KS4XYUwKzC$oNmhjZ49L9c8BrOM=
#=qCPeeDj1tZ3_XePWJJx7FTlBzWHbtSGvCe1Je6nRznW0=
YAo|z
#=q8fYxP$_i6Xk0$6OlSwUHKcvhrevHxLXqXqvszBe9OtM=
Exists
#=q9c$dxNln4J1nxxC7UNVnfSKvSgKS421$zTS6z9ahlusddEno_MZclU7Qbfc$Fyw5
hpF/8h
#=qa6Qg4SaIgpIknX0EmOdEQg==
#=qSLl9utb6ViD7fbZHSox8oSv7PZDBMO5b6MBr_gzzHF8=
#=q7wyeNFqtiGUhQt6sicod9g==
#=q4P1tyVDbmSIMgskx0BrPh5ZxjoQy0earrulDSsNhpg8=
#=q4fCxMFfzJ9KgfK61DJRvZ5wDvDfYnqR8bhY6TGq9aRk=
GetFileNameWithoutExtension
.text
#=qg61MaViIt3ErBjuA0N9Xrw==
NanoCore
+# S&
#=q2JCFpXLqGkqf10Rox8zrAg==
#=q3_2_t217j7pS3JjemZNI07w3dukMmHXPSE5$LTnvGS8=
#=qN$clRL1tbKGnARF7__FwJg==
#=qoa807UEkAFejsz9ub3crU9Uahxxj5JIyAtKhnrEn$dU=
IDisposable
#=q6W8MK4LKkww2JvseikWqeA==
l!$ J
SetThreadExecutionState
#=qQCd2OoCcjOFxsuzhZKv2M7$UnAX8JX19NdffDxgtv3I=
WriteLine
yp~7}5
2(|Ht
#=qZnbTkU5kDU8O8$hMGiNZlQ==
~q)-Aa
MHRi'
$#%#&#'&98:8;8<8=8>8?8@8A8B8C8
#=q4kUEXPi93MnvgzV6ySNPRQ==
#=qeAvM9D2ZXEFg7Zo1J5PeVA==
Connected
ThreadExceptionEventHandler
[[s\3
#=qqsKAc3v0igxVSmn4Feg8q$1tNTWiqtCBpA_xMlgU$f8=
#=qtkqHWk1kvmO5zt3tTCyF2Q==
CurrentUser
#=q3vPs064Rj1jBOLtFVqV4DA==
#=qYfWGXuhZd0cmWjiCvW2EPw==
GEe!c
_Lambda$__7
Initialize
#=qTKJrybVS3pgV4uZ4KNtp3g==
-,&~~
#=qxybSLhWq6EDNDl0$FuPN8g==
Gg :7
#=qGfiJ4oSCDzJJaNmf22anQw==
#=q5esm6BVWqrzEai7Zgw0cmQ==
advapi32.dll
#=qKXbEtqEIo3E2xdYWIElxIQ==
CaaVu
set_ShowInTaskbar
get_Exists
DiscretionaryAcl
&&*}n
MD5CryptoServiceProvider
wyww_
#=qiO2giJomMFK1wa5$389nVw==
szVTe
System.Windows.Forms.Form
TimeSpan
x&K5lb
#=qe99VPFgyNENK$KtARK_iPuwvOEw_NRgC00PdG55dmGA=
#GUID
#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=
&c{'u
#=qsY8nKQa1iMT2g$sVoLy8u9jrLGP9DMATpaFjFx3wjNU=
#=qR0v_DeAkzbUr6_Md5tN4PQ==
BuilderSettings
IndexOf
#=qovc0J7K6b9Eq_C0K46rbmg==
VegZ'#8Y
#=qoT5qP9FYCI8F5V3gKO7eMg==
#=qzzNUaijPluPyLfyxwDObxw==
MessageBoxIcon
StandardModuleAttribute
Rfc2898DeriveBytes
#=qgAKbtXqj_idozuy66wPGJA==
ReadBoolean
GY]R^
#=qlsj4Kl0M6SYgZMJLZ$QkSw==
#=qFikK0kKzvE4fvbzxpsrllMMR8oLIJtNPAGP1lZZ4prs=
#=qP_nucp5xdFjeAVWRfZ2XfmvYhkwWbeeu3y2fkxvS0yA=
Enumerator
_Lambda$__1
#=qPjPHWXGbaA$51Cna2ZaMpQ==
System.Net
add_Shown
#=qC6KOBEMWwIsQr_847d$S8A==
#=q7YEFsRA19ZrxKTBeL$y0fg==
#=qlFQRS6FW1ex39P1F_VW7Eg==
#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=
#=qXkgpfghvTKDZGlXBGI4x9veQO4JfjF7GW2ECw9$L3EvyKZGOnziwXE2Xr1EkpRwe
|mOLU%
Microsoft.VisualBasic.CompilerServices
GetTypes
PtrToStructure
OpenSubKey
@PC,~+tfdo]a
#=qwVGSEK8LoRuNWEOYfq8$hq39mmxHzM3pIeoRef7XNt8=
#=q_WoKv7McWxMc2YtmbiVaCw==
dnsapi.dll
#=qVIikDYmLtr_O$2vZcqLhHA==
UnhandledException
#=qonMVJIv_P7bZ29oJ_eSSxA==
9e!!XmH
-LF6{
#=qChHxg92yH05lHO0u7UrDcPo$UK1nFXIjb2DI3pyR0FE=
TransformBlock
#=qRYSdRGBC6LM4UFJJGQnk7A==
wO^@3
IPEndPoint
RawAcl
#=qNzt$mJakh1Nxv4vDRDjTsa1OVDKMAlRCO__qncxMoXRz8jNE7AWvE0B4WIqANR1p
#=qFlfDskRbjMOXZPvSw2W2UA==
cg"`f
#=qK4wGebauvtmTKO0oAyLFzHLhr9rU3HNJmU_ur7Zop$YvLzV4HzmIQ45YslW_q1Vc
#=qP3lBpu0cs5q3Lf$qXSL7q6szA7E5M9NqMzkAFV6l4CI=
Close
#=qh7diH14jww3Fm9rMJ_jIfQ==
System.ComponentModel
#=qGS6wNk5u54YEpqtjtMFIpQ==
PADPADP
#=qHtuZg55b91a614FmHMsOMQ==
#=qp9IgcHwNxIVh4GZl4S2tcJtSz0NII67aXwFNDcdhP63JHe9MNg0kPsAos3IUd98k
[6}7r
get_TotalMilliseconds
get_LocalEndPoint
#=qhbsl5nSqHjmKK5u9FniHoA==
#=qM040QWzx1oySCgUyYWc9zA==
;6$)S>
zR9}G!
nS2ZZ
#=qUvO$SDWQpHm3uJq25yzwvw==
~s)gxn
#=q0EPYqANhk$fGDlTztPFu2jRCdUruoFdUMwStI_GHseI=
#=qnIGrpAn2e$qTqbA22$ONbQ==
#=qcyVktfYxc51I1XopnwGNjQ==
vV@N#
XQ/+}$
#=qRCCuvWFd9_O8CfEZhkJtSA==
#=q37jfceDpvm0BhKQMkpktNw==
#=qd3Itd1ELDPHJxhLvt0y1NQ==
#=q2Sd$5fx_doPt8h$UdBacAA==
dk-WME
#=qdsDfPo0zxdY$R7euM0a_vw==
#=q0uUZuMiILVbPeB$t7lx1a0Is1IW4CfkB9ovgW99kERQ=
get_OSVersion
#=qQrBlfreeUYUGyN3hPOorGA==
!This program cannot be run in DOS mode.
#=qChXzjuiVYrb8OlqJPajoUA==
ProtocolType
#=qnoPzE9XMA8S7X5JX6ycJ7w==
#=qOicuy1VnndMMXIrDqqx3EA==
#=qCeF2tfSXulrE0bbyPxU$1ik7Jf3avSO4FKBmKNH9QLg=
kJbP/
ToInt32
%W>(G
#=qHJMw55fNEVIiKcc4ry0o7_L9hyz3vS4jgKl3KMX8xGg=
_Lambda$__6
RuntimeMethodHandle
Buffer
;|:>_
RuntimeCompatibilityAttribute
#=qPgHNba2TbLgSqrCvG0e5Uw==
#=qcDfNIFv7M2KbeeK2ufHf3w==
#=qxYJIjuXFTjRvt41we4akdH1WN2nLMpesVOXXsYuSrHM=
#=qtDC6IoLr5pnMo1d9qdAc2TBOnWqOdlEZHf8Itbl8cJc=
CompilationRelaxationsAttribute
#=qXIsqrB8Mw2TMQ5$s7oRSIQ==
#=qd7RJPnCy4YddvoQeTJhlwA==
#=qquFMi5Wa$w8aN9GGlN4H1Q==
#=qFZLDtLWdUONY4B_gU_jjJi4BgFANcRLPMuWuQINdRLc=
#=qVcF51voQmyGAgyAUz3313w==
#=q7$Vba9f7UkS7OwkHeUGtrn1ymWXBIMnyiJbrBxyOPBM=
feffeefefa
CreateInstance
#=qsUsGxFgC$BJaO_$VAtZ1Ug==
#=qsLIORBvLMZm5c5Lb9Cm$GQ==
#=qZhds7a6Pui$KE4m8ht8xuA==
#=qsUdW_kbiEct8_uosknsYUQ==
_Lambda$__9
#=qb8Z0_4AS4r8OSPknVYvDfA==
Monitor
#=qxO41EOA8VDczxcMMPD9Hv85pbiPnTbukmYyDI5Z6X8A=
,q6o&
#=qrYH2MBQ1J6Wu3hhoHHVW0JQwxTYC8hYBTLbQIYHNBds=
#=qWkPc$uBFgJrhuimjKXkFcw==
#=qs4p7qYamgHyRCYZsTKM03Q==
QL-f:
#=qXyCbQ53pEXrdqhJ6oXoHqg==
#=qo$DZvhC1PKdsChUToY52NA==
#=qGCYL9FviWCrv0prWZC8VfgL34V_6XyB$buFX2LkjbCg=
#=q5$hUSQAZNmEXcUcvGVFJrlqtw6IWJBy6C7LN$kOmTWU=
b`*&+
`%,h}
UInt64
#=qUZMwlqlTBPLi1iscPEnOdMZqp5jDsQ1UK2Kgux$Yn40=
#=qxOFsoGbvlBlUujyS9g3fPQ==
#=q5WXECfTJPQIQ2JoJDGsf9pTFKCPzQGp3$QlyT_g_ZCY=
RDLXukk0
-2&~}
Stream
uYt2H
#=qNc0O1YGwS4NhcbB7sgpVgg==
#=qlt$K8Ex4tZEPwTl4RuqGMw==
ObjectFlowControl
DnsQuery_A
#=quRXaU$OHlRs_89kacdiUMQ==
#=qb_soGTESOxGbPyWr9RZjig==
#=qqLNJOrQl$9SirTNF5ZKaLA==
RuntimeTypeHandle
#=qZb1TYPPMMY64aTN2MpcGOQ==
#stAIq
#=q9x6KBL_arYpQC$zFf4pEFQ==
IPAddress
HashAlgorithm
#=qBuMzaVqxpYkDVtTnLpbYyjTfZNKm8_4JkuoFHPxOBFo=
System.Security.AccessControl
Z6-yS
#=q1BpeNGUQvsUFoXPmB6q50A==
%XCr)+
w@Ki"6
RestoreProtection
#=qiY1B9yU2oVkPHxhn$y67SFTP8x1Jb0botGqdUGkdpQg=
Timer
VbF>)f}2/Qo0
#=qkxzumuLbzy2O2XsBlM3j$g==
#=qvQfNpqhSbw_$p1TB3UFgJA==
#=qDBRodZmvuO0qLafxHA9KMQ==
#=qrWXrfWfqyzD06oY$LsE9ww==
SendToServer
*Mx2#
#=qJEtGIBRUjtEusa67yMyqWQ==
#=qVvEn7vdm6JlvG9koG0JUIQ==
Y3JhHK
0zr:Q
l:KXFnc
WindowsPrincipal
#=qqReemZdhHj1veATVZbU2_Q==
#=qWfwpJtKOXBFXf_1zpmLUrQ==
Collect
#=q5mGK9suCIiUDZgS_YSrSQg==
kd+Zc0<
Qh:C;g
9+=Zi
cs8:t1O
ReadUInt16
#=qcp_YDS3uDXZMDFWGeFYphA==
MulticastDelegate
#=qP5B75c4g32E_HsewCKc$Ig==
-*&{c
#=q4kB_KjL2oo8adT7lfnt6ew==
#=qPbvCT$UNIh_DPMt5F02Hyw==
#=qKtJTKEkNf2mJVHcZzSW8iQIcsBglzcJJOkX7V_uB55w=
#=q4o4zrrzr7uOw3pySDBOwZtAOdlhvudqcbIbhABkQfe4=
#=qenWi8guqQrvoGB55djo0ka_844yTmViBn5_Fr2X6HAceO7AJErk_Rh7nfkfqtUbq
X8St?
LockResource
#=q5fG5Wo3pzujuJKotO2WwDQ==
get_BytesTransferred
GetProcessImageFileName
#=qQbsDS5g6rYgVt4AUW_pPJ8MQlCJBs7uyF9EY8OKREmQ=
#=qyYejfncvZCW4q4y4GEV7QqOL4Aox1NSDqQmcpM4TQVA=
_"QS$8
#=q0f150kYsIx0s3raR3xq1xQ==
Utils
#=q6ARXRSe2PbSpq5u4_c1Rsw==
#=qpE_mRkS89WMXbQTdLD7bwp4pTt2zrWY_WBF1BLz1fes=
GetEntries
#=qtussAh$DpHFmu7sm9TXJyZsrjeJ6Xm9c2y22v4wQG2s=
StackTrace
#=qc3tkHe_7v$eGA2x6krh72Q==
ClientSettingChanged
Registry
E9Hos
MuCG@
ProcessStartInfo
#=qXzCb60v8h3v0rPCrGf606Q==
#=qvvhgGCgMlZiK63M2bP1Kcg==
#=qpaOobmVTnUS0322VEUTQd53tn4HeMWSoV2XuTUOmp6U=
#=qCQ9vY8iVniiFr_C0wuoMFHQgjJIll0MjoDGXuPo1hYk=
#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q
HostDetails
#=qwWiTcboLi4zF4ycKWLBprqWhuc6ZDNNDjC8OE8DG1$c=
#=qFTBwGADWl13TibdOa5ODk_Y2qcfMGC4lp4rhrZcE84kZNE6dU4EqEk2ZYKuJAWo9
#=qK7tJUw5nsLE_rt2JHgqYI6_vH0s$mFFB1QifRuMCr34=
nq]iG
#=qKwlvi80KuDBelBsvucNuhRsqXRtqCfWqVH1dUPmd6_o=
#=qzI8efPARogp2CZcGB2UtfAz2tJs0A4fM9fKvuTKYqi8=
-!&o/
#=qphSRC1xHjYarc$NSFAVMID1iP8dwbr6BCaxyrkptDP0=
9dmG 
#=qPYtEwg1BZk5tP9KKNl$36tqIdWilqjeWcpWKL2Zxnug=
>Tzn8
#=qmTxGiMA05lTEtoPPV6RFOih4DYS0uxrxPO4vA1H2j6U=
#=qRNkKSXdFDcR_p8Jbzx9WJQ==
IClientUIHost
#=qGvpT_A2MS3Oi797y6jojBg==
#=q0xixHwSTS$a9x5dtNZccvebVLuO4euYOepae9m2S64s=
#=qSJci08l8EqyD9KF0joWzSA==
]"Q+a-Y6I
Tol{@]
afeffefeeffe
#=qYKspnFhL3rrV8a6zSvXJWA==
+7d8r
#=qzAgp3UwWT0075L6Sh4PfZA==
`eaWZ
h|iw1
jfk/43
ReadBlockData
AddMinutes
#=qDJ4yS7fCDfIiEVFkwyEE6G3$$73HwRgy2_eKZUkxaSo=
-"&~k
#=qhE2P2k46jiSSjO86g3nB1MkLGC9_3avDpI7iYbUHr5g=
#=q98hMbgVf4fBR3MKeaM4uQI$YRLQdIr1biYYF5369cW8=
#=q5bws5LlHvLK62TcSJadQTw==
#=qP9qYgJs5_O2GP2pI$ho4ZSa8wQkwNQEBMg8VjNRrUWE=
#=qQkx1bBZns8hPde7$PcvfUl2fAairj6t_H8ve7nJO2s3BIB3t7PXd4ZR9h0JHyxrX
D.~Hk
P!HugQ?[
ToArray
#=q9LcncGbDdZaeonfU3943IQ==
#=qhufLjssUmkN_mXHuWOXl8gUDxidnVdWY$tHhp2HS0ic=
#=qJpz_ygP5AiHfhtTxRulSsw==
#=qtNbB44E34Ui_i5yJYQ5ntw==
#=q752iy7NeRDzz3UAYRlXXfQ==
get_MetadataToken
#=qAbQ42UrUbGpmkYA2zun7Tg==
#=qFY80y4KcMQywRNP$ttVIXw==
S& B!
#=q2LHISsr6oVwPjyrC2AFTD2_CdAouK60pDkoTs0efRSU=
get_Item
UInt16
#=qN6ip4UNq3TKArPG3ZZy$zw==
QSks3
get_Now
#=qLEtx_37WeiIPQPYSN8vY0qTNiL_L6nA6vkFQwNlcU2Y=
 wst(
FormWindowState
?dm~t
Delete
-w)yS6
ClientUninstalling
a+t]R
#=q6OqJPhANvYfkdc5uh_IKsUbLoI4zVFCxs4fpu7Vxr_U=
affefeeffe
#=q7uQjJN4fKJgs403tXnERFbQ1VWp3FBsMW_1ZAWZtc1g=
#=q_0gCRmXint4znUKVJR_bzg==
kJLZ)~
#=qBk9t7p9S5R095rOkFdE8GQ==
#=qT9sog7FujhNJZHxxUXVGPg==
#=qYhk_OkZkBWola80M6EUqow==
#=q74AbaKJhduohKQ4YDrC28g==
34wM3
dpi8t
#=q2n0wwv9OpsrMrxVUVHoqGw==
fpr=&
#=qVxXNKnhAcArgJoGGYXiyyQ==
#=q8WaW5L3_NY3KPDRN6V9mCI08mHUZbTcARcexWvaAL6A=
String
#=qxe_BfLLMHqYa_KBeLsRfpw==
GetObjectValue
#=qWNtQAckY3EoQ$HeRpEQ9MEcj4oiFXpw6QZThgsGNZIA=
#=qscQJIcBkI9VH8bZTZtABeA==
#=qXULhMbqiur_al62NrjaiXWJ8rme0bKMO8KkV356NZwk=
<generated method>
#=qalo3zYdlWWh$dYSx9JnNrw==
ContainsKey
#=qKaOsg8ghd7KyYDCm3RhDg9KJrf7McwaH92TdOJzSw6s=
#=q60UcvJzzgao2Rv_stV3rQhhxCdm95L1Gb83mKGH1VxQ=
p4LPh
#=qHauijmh2nJ5kHO6fTYBnJFZKkfzkWt5gB4mYS5OLOVc=
z5LIw9
#=q2c1dOwAlqEVK063i13$4Vg==
-0&sY
#=qcMb6hxBpdyTwCjvpzaQcC5dS3wbplPqOta7ERz_lMIo=
Xr},e
IEnumerable`1
#=qfLFZgbR_r0GETPSprP6O9w==
#=q3$9MQ9O56ldzMJGDeTdBZw==
ToInt64
-JJ_o~
]h^TA
#=qkgpjO3I2rdg6Il4nyqzgDw==
?85!y
#=qSbcOBh8Kf7zb$IciDxPlGw==
#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=
D>-[l
#=qKU0J1fiP8KA33eFK1owekQ==
Console
#=qsR25pLrAgwps$DwdB_BuUbMipiUFFEDkypROuvRRPj4=
#=qKi0KrAcAGUOMcS5S$2tJyg==
#=q5grPwgEurSn6KutVLS5_oPClPR_aCEdSRk5nKP5bDm4=
7kc#,O6B
#=q8VTskDJ5TyHJcDeWmklddw==
#=qbn24Ox5i732BM_T_R4Q3RtK1pEoSIYmxE9Rba9DDKEA=
SizeofResource
#=q2WFu5tRyicebO6UkQga8SbXrngw5YigfLTTVJqQy1qI=
BaseCommand
System.IO.Compression
#=qwSqLSPEuM8lJy4sOeuH92YjPodcLquqdG$OodozwC60=
Transmission
StackFrame
#=q8d8q1KZbTCKTAZreko1Lug==
g,HbD
#=qgW$Sn0ALOASuZcEZHxiZDaj3mNXTljqLa5onSc7M0U0=
get_Key
e[{ho
V8/HKj
Intern
PipeCreated
BVzl]
-,&~C
#=q7b0FP8eSMCctHkHIxEb12w==
#=qG5YZbexfSlZk_cwFxKFh4HaY$Krp4rK2HdCH8OIs4EI=
LogClientMessage
#=qEqEPF0jj3sUIryvQNEKKCV9boaHFZuHXMROqSn28L3g=
tWin32Error
L9$t#1
#=q9iu_XWrg9WTOw3hVDQcP8ZcABJLoMYtAY0HfRbaBN24=
#=qdDrSQoelY6gHzRt_ma5NQg==
add_ThreadException
AssemblyProductAttribute
#=qwBDUI_NSPNLYbPH4gy$3uQ==
#=qsWAbPBa1yptbB97zoAjeSA==
get_Length
SU>)MP
#=qc7QknLi4DrEENw9hVJyfaw==
VariableChanged
#=qN76bQl1CQ6EpIJzS4bbSnw==
#=qA32zcbPIWwOaURCE8zDGfw==
#=qqROT7DfncW7strhZvp0iRQ==
FileInfo
ConstructorInfo
#=qqnp3i0xG3gb2LwEmwQLB8NQerATuB2G0aH1k$$26lgk=
Change
get_BinaryLength
#=qbWN2780y2PKcyDt_4uktmA==
3}/,V
DialogResult
#=q6wR5WMLGkL9afTpqmWsw9g==
MessageBoxButtons
p8q^Vd
Activator
#=q48p8EJcbwRuSJ9efJfzTZ7uyOBVlFQpnFVv30w93EJA=
get_IsEnum
a,CQYP
z2TgP=
f});o
#=qrmavK4kbgFTgX3_IUlEoRw==
#=qoygY$KIlhsLDneTXkJ_L9A==
#=qhPbzHXREadcUSl6d6LhVYw==
#=qVCHxDTr$$bwFMb6i9vBKRZciaa69edA3gsLNOty0RAzCorWRBUh2v0PgySYBEvZ0
#=qgN8fDYnB$J$X9QGGYQsYuvA6BpDT4GE_ca7JiOh661Q=
rAZ$M
ffeeffefeefa
#=q6NenfQbzQYLSZe2oYrhKsEGeaR69wF$W7VvfZPx7lyg=
}A@&z
#=qtRuLPG6CownVXpQS2Jma6EmxR$R$u15FKPRjOSzCUIw=
-*& r 
#=q6k7flm9GMlPIija7ZH1xJg==
UnhandledExceptionEventArgs
#=qbLBIoIXYNfJl3x9LHqBWNA==
#=q9RHjNFjnLkbqjNKidtUNeAGLmByWXgbKwjLfhcq9NOc=
List`1
AssemblyCopyrightAttribute
#=q0U3u45cUl83Kicjfx0RmVA==
#=q9T406SLBpfhYfDTkCrB28g==
#=qO0bmWYqIZnaB7Udo1OTvUuiP36Q9Z_7hz6URm1Yr1hM=
#=qibDx9sEkAVZroec7HmNu4g==
'Xg3U[
4System.Web.Services.Protocols.SoapHttpClientProtocol
#=q6V4Kle56uZFNUY$zkrrKJQ==
ToByteArray
ICryptoTransform
#=qzDzg9a$HVGG1G5cdhqbdwO3OG_SFijGXN8Towa37$TQ=
#=qd4_A7Y1qGQ8QAgHfK8_ssQ==
#=q3qYAJGveL_cxux6_2m4Vaw==
TryParse
#=qDB62T9X0iP_6WNTXOuwQnA==
PipeClosed
#=q8eJA0L4q0RMnuOJCvpFj3133vZRxVnxvHST9vysUWYQ=
Array
Microsoft.VisualBasic.ApplicationServices
#=qpQiSeXaCc6qGNX49vDbcMYyzv_UpV$YoUyrH0l6FW6Q=

PE Information

Image Base

0x00400000

Entry Point

0x0001e792

Min OS

4.0

Compile Time

2015-02-22 00:49:37

Import Hash

f34d5f2d4577ed6d9ceec516c1f5a744

Name	RAW Addr	Virt Addr	Virt Size	Raw Size	Characteristics	Entropy
.text	0x00000200	0x00002000	0x0001c798	0x0001c800	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.60
.reloc	0x0001ca00	0x00020000	0x0000000c	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	0.10
.rsrc	0x0001cc00	0x00022000	0x00015dcc	0x00015e00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	8.00

Name	Offset	Size	Language	Entropy	Type
RT_RCDATA	0x000220a0	0x00015d18	LANG_NEUTRAL	8.00	None
RT_GROUP_ICON	0x00037db8	0x00000014	LANG_NEUTRAL	3.40	None

Address	Name
0x402000	_CorExeMain

Processing 34.96s

15.444s Suricata
10.272s NetworkAnalysis
8.395s CAPE
0.772s BehaviorAnalysis
0.074s AnalysisInfo
0.001s Debug

Signatures 0.40s

0.096s antiav_detectreg
0.036s infostealer_ftp
0.033s territorial_disputes_sigs
0.021s infostealer_im
0.02s antianalysis_detectreg
0.012s antiav_detectfile
0.011s antivm_vbox_keys
0.011s masquerade_process_name
0.01s ransomware_files
0.009s infostealer_mail
0.009s network_dns_url_shortener
0.007s antianalysis_detectfile
0.007s antivm_vmware_keys
0.007s infostealer_bitcoin
0.007s suspicious_tld
0.007s ransomware_extensions_known
0.005s antivm_parallels_keys
0.005s antivm_vbox_files
0.005s antivm_xen_keys
0.004s network_cnc_http
0.004s network_dyndns
0.004s antivm_generic_diskreg
0.004s geodo_banking_trojan
0.003s antivm_vpc_keys
0.003s poullight_files
0.002s network_torgateway
0.002s antidebug_devices
0.002s antivm_bochs_keys
0.002s antivm_hyperv_keys
0.002s antivm_vmware_files
0.002s bypass_firewall
0.002s qulab_files
0.001s network_http
0.001s network_open_proxy
0.001s accesses_netlogon_regkey
0.001s accesses_sysvol
0.001s antiemu_windefend
0.001s antivm_generic_bios
0.001s antivm_vbox_devices
0.001s ketrican_regkeys
0.001s banker_cridex
0.001s browser_security
0.001s checks_uac_status
0.001s file_credential_store_access
0.001s registry_credential_store_access
0.001s darkcomet_regkeys
0.001s disables_backups
0.001s disables_browser_warn
0.001s disables_power_options
0.001s azorult_mutexes
0.001s cryptbot_files
0.001s echelon_files
0.001s network_dns_opennic
0.001s network_dns_paste_site
0.001s network_dns_temp_file_storage
0.001s medusalocker_regkeys
0.001s revil_mutexes
0.001s limerat_regkeys
0.001s modirat_behavior
0.001s obliquerat_files
0.001s rat_pcclient
0.001s warzonerat_files
0.001s warzonerat_regkeys
0.001s reads_password_database
0.001s recon_fingerprint
0.001s remcos_files
0.001s remcos_regkeys
0.001s sniffer_winpcap
0.001s language_check_registry
0.001s tampers_etw
0.001s targeted_flame
0.001s lokibot_mutexes
0.001s ursnif_behavior

Reporting 0.03s

0.03s JsonDump

Signatures

Checks available memory

Queries computer hostname

Queries the username

Attempts to connect to a dead IP:Port (2 unique times)

IP: 172.67.178.110:443 (unknown)

IP: 172.67.147.249:443 (unknown)

Queries the keyboard layout

Queries the computer locale (possible geofencing)

SetUnhandledExceptionFilter detected (possible anti-debug)

A process attempted to delay the analysis task.

note: 91d880890f6e481edcbe.exe tried to sleep 568.626 seconds, actually delayed analysis time by 0.0 seconds

At least one IP Address, Domain, or File Name was found in a crypto call

ioc: x00.text

Reads data out of its own binary image

self_read: process: 91d880890f6e481edcbe.exe, pid: 6484, offset: 0x3030785c3030785c, length: 0x00001000

self_read: process: 91d880890f6e481edcbe.exe, pid: 6484, offset: 0x3030785c3038785c, length: 0x00000200

HTTP traffic contains suspicious features which may be indicative of malware related traffic

ip_hostname: HTTP connection was made to an IP address rather than domain name

suspicious_request: http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com

suspicious_request: http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1777715798&P2=404&P3=2&P4=lPKE0H2kvNLZaX%2baQZIlsIf4V71n3W%2fU7ukwQMf%2fbNBOu6Z2zjLPHkqlHsI92jczzHIL4FQHp8lNNQI27vV4UQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com

Performs some HTTP requests

url: http://i.pki.goog/gsr1.crt

url: http://i.pki.goog/r4.crt

url: http://i.pki.goog/we2.crt

url: http://i.pki.goog/gsr4.crt

url: http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com

url: http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1777715798&P2=404&P3=2&P4=lPKE0H2kvNLZaX%2baQZIlsIf4V71n3W%2fU7ukwQMf%2fbNBOu6Z2zjLPHkqlHsI92jczzHIL4FQHp8lNNQI27vV4UQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com

The binary likely contains encrypted or compressed data

section: {'name': '.rsrc', 'raw_address': '0x0001cc00', 'virtual_address': '0x00022000', 'virtual_size': '0x00015dcc', 'size_of_data': '0x00015e00', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x40000040', 'entropy': '8.00'}

Creates RWX memory

Installs itself for autorun at Windows startup

regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NAT Subsystem

data: C:\Program Files (x86)\NAT Subsystem\natss.exe

Exhibits behavior characteristic of Nanocore RAT

Binary file triggered multiple YARA rules

Binary triggered YARA rule: DITEKSHEN_MALWARE_Win_Nanocore

Binary triggered YARA rule: Windows_Trojan_Nanocore_d8c4e3c5

Binary triggered YARA rule: Nanocore

Binary triggered YARA rule: Nanocore_RAT_Gen_2

Binary triggered YARA rule: NanoCore

Binary triggered YARA rule: NETexecutableMicrosoft

Binary triggered YARA rule: IsPE32

Binary triggered YARA rule: IsNET_EXE

Binary triggered YARA rule: IsWindowsGUI

Binary triggered YARA rule: IsPacked

Binary triggered YARA rule: Microsoft_Visual_Studio_NET

Binary triggered YARA rule: Microsoft_Visual_C_v70_Basic_NET_additional

Binary triggered YARA rule: Microsoft_Visual_C_Basic_NET

Binary triggered YARA rule: Microsoft_Visual_Studio_NET_additional

Binary triggered YARA rule: Microsoft_Visual_C_v70_Basic_NET

Binary triggered YARA rule: NET_executable_

Binary triggered YARA rule: NET_executable

Makes a suspicious HTTP request to a commonly exploitable directory with questionable file ext

url: http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 6484 triggered the Yara rule 'IsPE32' with data '[]'

Hit: PID 6484 triggered the Yara rule 'IsWindowsGUI' with data '[]'

Hit: PID 6484 triggered the Yara rule 'IsPacked' with data '[]'

Hit: PID 6484 triggered the Yara rule 'DITEKSHEN_MALWARE_Win_Nanocore' with data '['NanoCore.ClientPlugin', 'NanoCore.ClientPluginHost', 'IClientApp', 'IClientData', 'IClientNetwork', 'IClientAppHost', 'IClientDataHost', 'IClientLoggingHost', 'IClientNetworkHost', 'IClientUIHost', 'IClientNameObjectCollection', 'IClientReadOnlyNameObjectCollection', 'ClientPlugin', 'get_ClientSettings', 'get_Connected']'

Hit: PID 6484 triggered the Yara rule 'Windows_Trojan_Nanocore_d8c4e3c5' with data '['NanoCore.ClientPluginHost', 'NanoCore.ClientPlugin', 'get_BuilderSettings', 'IClientAppHost', 'AddHostEntry', 'LogClientException', 'PipeExists', 'IClientLoggingHost']'

Hit: PID 6484 triggered the Yara rule 'Nanocore_RAT_Gen_2' with data '['NanoCore.ClientPluginHost', 'IClientNetworkHost']'

Hit: PID 6484 triggered the Yara rule 'NETDLLMicrosoft' with data '['{ 00 00 00 00 00 00 00 00 5F 43 6F 72 44 6C 6C 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C 00 00 00 00 00 FF 25 }']'

Hit: PID 6484 triggered the Yara rule 'IsPE32' with data '[]'

Hit: PID 6484 triggered the Yara rule 'IsNET_DLL' with data '[]'

Hit: PID 6484 triggered the Yara rule 'IsDLL' with data '[]'

Hit: PID 6484 triggered the Yara rule 'IsWindowsGUI' with data '[]'

Hit: PID 6484 triggered the Yara rule 'Microsoft_Visual_Studio_NET' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'

Hit: PID 6484 triggered the Yara rule 'Microsoft_Visual_C_v70_Basic_NET_additional' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'

Hit: PID 6484 triggered the Yara rule 'Microsoft_Visual_C_Basic_NET' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'

Hit: PID 6484 triggered the Yara rule 'Microsoft_Visual_Studio_NET_additional' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'

Hit: PID 6484 triggered the Yara rule 'Microsoft_Visual_C_v70_Basic_NET' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'

Hit: PID 6484 triggered the Yara rule 'NET_executable_' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'

Hit: PID 6484 triggered the Yara rule 'NET_executable' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'

Hit: PID 6484 triggered the Yara rule 'NETDLLMicrosoft' with data '['{ 00 00 00 00 00 00 00 00 5F 43 6F 72 44 6C 6C 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C 00 00 00 00 00 FF 25 }']'

Hit: PID 6484 triggered the Yara rule 'IsPE32' with data '[]'

Hit: PID 6484 triggered the Yara rule 'IsNET_DLL' with data '[]'

Hit: PID 6484 triggered the Yara rule 'IsDLL' with data '[]'

Hit: PID 6484 triggered the Yara rule 'IsConsole' with data '[]'

Hit: PID 6484 triggered the Yara rule 'DITEKSHEN_MALWARE_Win_Nanocore' with data '['NanoCore.ClientPlugin', 'NanoCore.ClientPluginHost', 'IClientData', 'IClientNetwork', 'IClientDataHost', 'IClientLoggingHost', 'IClientNetworkHost', 'IClientUIHost', 'IClientNameObjectCollection', 'IClientReadOnlyNameObjectCollection', 'ClientPlugin', 'get_ClientSettings']'

Hit: PID 6484 triggered the Yara rule 'Nanocore_RAT_Gen_2' with data '['NanoCore.ClientPluginHost', 'IClientNetworkHost']'

Hit: PID 6484 triggered the Yara rule 'NETDLLMicrosoft' with data '['{ 00 00 00 00 00 00 00 00 5F 43 6F 72 44 6C 6C 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C 00 00 00 00 00 FF 25 }']'

Hit: PID 6484 triggered the Yara rule 'IsPE32' with data '[]'

Hit: PID 6484 triggered the Yara rule 'IsNET_DLL' with data '[]'

Hit: PID 6484 triggered the Yara rule 'IsDLL' with data '[]'

Hit: PID 6484 triggered the Yara rule 'IsConsole' with data '[]'

Collects information to fingerprint the system

regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Attempts to remove evidence of file being downloaded from the Internet

file: C:\Users\cape\AppData\Local\Temp\91d880890f6e481edcbe.exe:Zone.Identifier

Screenshots

Hosts

Direct	IP	Country Name
Y	20.93.72.182 [VT]	unknown
N	172.67.178.110 [VT]	unknown
N	172.67.147.249 [VT]	unknown
Y	72.154.7.16 [VT]	unknown
Y	72.154.7.108 [VT]	unknown
Y	72.154.7.100 [VT]	unknown
Y	46.149.110.67 [VT]	unknown
Y	72.154.7.105 [VT]	unknown
Y	72.154.7.102 [VT]	unknown
Y	72.154.7.98 [VT]	unknown
Y	72.154.7.101 [VT]	unknown
Y	72.154.7.107 [VT]	unknown
Y	72.154.7.109 [VT]	unknown
Y	13.107.6.156 [VT]	unknown
Y	84.47.178.41 [VT]	unknown
Y	20.165.94.54 [VT]	unknown
Y	150.171.27.11 [VT]	unknown
N	173.194.73.94 [VT]	unknown
Y	84.47.178.56 [VT]	unknown
Y	84.47.178.49 [VT]	unknown
Y	52.123.242.97 [VT]	unknown
Y	40.126.53.14 [VT]	unknown
Y	4.207.247.139 [VT]	unknown
Y	20.189.173.2 [VT]	unknown

DNS

Name	Response	Post-Analysis Lookup
i.pki.goog [VT]	A 173.194.73.94 [VT] CNAME pki-goog.l.google.com [VT]	173.194.73.94 [VT]
bbc.in.net [VT]	A 172.67.147.249 [VT] A 104.21.71.182 [VT]	172.67.147.249 [VT]
syashop.uk.com [VT]	A 104.21.75.156 [VT] A 172.67.178.110 [VT]	104.21.75.156 [VT]

Summary

Accessed Files Read Files Modified Files Deleted Files Registry Keys Read Registry Keys Modified Registry Keys Mutexes

C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\cape\AppData\Local\Temp\91d880890f6e481edcbe.exe.config
C:\Users\cape\AppData\Local\Temp\91d880890f6e481edcbe.exe
C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\msvcr80.dll
C:\Windows
C:\Windows\WinSxS
C:\Windows\Microsoft.NET\Framework\v4.0.30319
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\fusion.localgac
C:\Users\cape\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\91d880890f6e481edcbe.exe.log
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Windows\System32\windows.storage.dll
C:\Users\cape\AppData\Local\Temp\Wldp.dll
C:\Windows\System32\wldp.dll
C:\Users\cape\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
C:\Users\cape\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_32\indexc.dat
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI
C:\Users
C:\Users\cape
C:\Users\cape\AppData
C:\Users\cape\AppData\Local
C:\Users\cape\AppData\Local\Temp
C:\Windows\System32\bcryptPrimitives.dll
\Device\CNG
C:\Windows\System32\l_intl.nls
C:\Users\cape\AppData\Local\Temp\91d880890f6e481edcbe.INI
C:\Windows\assembly\pubpol5.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.INI
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.INI
C:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.INI
C:\Windows\assembly\GAC_32\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a
C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a
C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.INI
C:\Windows\Globalization\ru-ru.nlp
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\System32\msctf.dll
C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\Windows\System32\ru-RU\USER32.dll.mui
C:\Users\cape\AppData\Local\Temp\CRYPTSP.dll
C:\Windows\System32\cryptsp.dll
\Device\ConDrv\Server
\Device\ConDrv\\Reference
\Device\ConDrv\\Connect
C:\Users\cape\AppData\Local\Temp\client.log
C:\Users\cape\AppData\Roaming\339D92A4-C255-4420-97B0-5631BD58867A
C:\Users\cape\AppData\Roaming
C:\Users\cape\AppData\Roaming\339D92A4-C255-4420-97B0-5631BD58867A\run.dat
C:\Users\cape\AppData\Roaming\339D92A4-C255-4420-97B0-5631BD58867A\Exceptions\1.2.2.0
C:\Windows\System32\tzres.dll
C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\Windows\System32\ru-RU\tzres.dll.mui
C:\Windows\System32\ru-RU\tzres.dll.mui
C:\Windows\sysnative\ru-RU\tzres.dll.mui
C:\Program Files (x86)\NAT Subsystem
C:\Program Files (x86)
C:\Program Files (x86)\NAT Subsystem\natss.exe
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Users\cape\AppData\Roaming\339D92A4-C255-4420-97B0-5631BD58867A\NAT Subsystem\natss.exe
C:\Windows\Globalization\en-us.nlp
C:\Windows\assembly\GAC_32\mscorlib.resources\2.0.0.0_ru-RU_b77a5c561934e089
C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_ru-RU_b77a5c561934e089
C:\Windows\assembly\GAC\mscorlib.resources\2.0.0.0_ru-RU_b77a5c561934e089
C:\Users\cape\AppData\Local\Temp\ru-RU\mscorlib.resources.dll
C:\Users\cape\AppData\Local\Temp\ru-RU\mscorlib.resources\mscorlib.resources.dll
C:\Users\cape\AppData\Local\Temp\ru-RU\mscorlib.resources.exe
C:\Users\cape\AppData\Local\Temp\ru-RU\mscorlib.resources\mscorlib.resources.exe
C:\Windows\Globalization\ru.nlp
C:\Windows\assembly\GAC_32\mscorlib.resources\2.0.0.0_ru_b77a5c561934e089
C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_ru_b77a5c561934e089
C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_ru_b77a5c561934e089\mscorlib.resources.dll
C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_ru_b77a5c561934e089\mscorlib.resources.INI
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb
C:\Windows\symbols\dll\mscorlib.pdb
C:\Windows\dll\mscorlib.pdb
C:\Windows\mscorlib.pdb
C:\Users\cape\AppData\Local\Temp\91d880890f6e481edcbe.PDB
C:\Users\cape\AppData\Local\Temp\91d880890f6e481edcbe.exe:Zone.Identifier
C:\Users\cape\AppData\Roaming\339D92A4-C255-4420-97B0-5631BD58867A\catalog.dat
C:\Users\cape\AppData\Roaming\339D92A4-C255-4420-97B0-5631BD58867A\storage.dat
C:\Users\cape\AppData\Local\Temp\ClientPlugin.dll
C:\Users\cape\AppData\Local\Temp\ClientPlugin\ClientPlugin.dll
C:\Users\cape\AppData\Local\Temp\ClientPlugin.exe
C:\Users\cape\AppData\Local\Temp\ClientPlugin\ClientPlugin.exe
C:\Users\cape\AppData\Roaming\339D92A4-C255-4420-97B0-5631BD58867A\settings.bin
C:\Users\cape\AppData\Roaming\339D92A4-C255-4420-97B0-5631BD58867A\settings.bak
C:\Users\cape\AppData\Roaming\339D92A4-C255-4420-97B0-5631BD58867A\Logs\cape
C:\Users\cape\AppData\Roaming\339D92A4-C255-4420-97B0-5631BD58867A\Logs
C:\Users\cape\AppData\Local\Temp\Lzma#.dll
C:\Users\cape\AppData\Local\Temp\Lzma#\Lzma#.dll
C:\Users\cape\AppData\Local\Temp\Lzma#.exe
C:\Users\cape\AppData\Local\Temp\Lzma#\Lzma#.exe
C:\Users\cape\AppData\Local\Temp\ru-RU\SurveillanceExClientPlugin.resources.dll
C:\Users\cape\AppData\Local\Temp\ru-RU\SurveillanceExClientPlugin.resources\SurveillanceExClientPlugin.resources.dll
C:\Users\cape\AppData\Local\Temp\ru-RU\SurveillanceExClientPlugin.resources.exe
C:\Users\cape\AppData\Local\Temp\ru-RU\SurveillanceExClientPlugin.resources\SurveillanceExClientPlugin.resources.exe
C:\Users\cape\AppData\Local\Temp\ru\SurveillanceExClientPlugin.resources.dll
C:\Users\cape\AppData\Local\Temp\ru\SurveillanceExClientPlugin.resources\SurveillanceExClientPlugin.resources.dll
C:\Users\cape\AppData\Local\Temp\ru\SurveillanceExClientPlugin.resources.exe
C:\Users\cape\AppData\Local\Temp\ru\SurveillanceExClientPlugin.resources\SurveillanceExClientPlugin.resources.exe
C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.INI
C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.INI

C:\Users\cape\AppData\Local\Temp\91d880890f6e481edcbe.exe

\Device\ConDrv\Server
\Device\ConDrv\\Reference
\Device\ConDrv\\Connect
C:\Users\cape\AppData\Local\Temp\client.log
C:\Users\cape\AppData\Roaming\339D92A4-C255-4420-97B0-5631BD58867A\run.dat
C:\Program Files (x86)\NAT Subsystem\natss.exe

C:\Program Files (x86)\NAT Subsystem\natss.exe
C:\Users\cape\AppData\Roaming\339D92A4-C255-4420-97B0-5631BD58867A\NAT Subsystem\natss.exe
C:\Users\cape\AppData\Local\Temp\91d880890f6e481edcbe.exe:Zone.Identifier

HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\policy\standards\v2.0.50727
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\AppPatch
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\policy\AppPatch\v4.0.30319.00000
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\policy\AppPatch\v4.0.30319.00000\mscorwks.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\91d880890f6e481edcbe.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v2.0
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\NGen\Policy\v2.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3749840076-4109591986-3192690632-1000
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\indexc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\indexc\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\indexc\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\cb87bba\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\cb87bba\1\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\cb87bba\1\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\cb87bba\1\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\cb87bba\1\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\cb87bba\1\LastModTime
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5aa75839\10fdf3
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\1910f9b6\2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\1910f9b6\2\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\1910f9b6\2\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\1910f9b6\2\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\1910f9b6\2\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\1910f9b6\2\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\2ea32674\7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\2ea32674\7\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\2ea32674\7\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\2ea32674\7\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\2ea32674\7\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\2ea32674\7\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\25f1f8b7\3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\25f1f8b7\3\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\25f1f8b7\3\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\25f1f8b7\3\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\25f1f8b7\3\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\25f1f8b7\3\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\cc504d5\6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\cc504d5\6\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\cc504d5\6\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\cc504d5\6\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\cc504d5\6\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\cc504d5\6\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7a57f554\1d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7a57f554\1d\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7a57f554\1d\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7a57f554\1d\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7a57f554\1d\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7a57f554\1d\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\620ba200\e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\620ba200\e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\620ba200\e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\620ba200\e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\620ba200\e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\620ba200\e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\7febb058\1e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\7febb058\1e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\7febb058\1e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\7febb058\1e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\7febb058\1e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\7febb058\1e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\47b2ade6\8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\47b2ade6\8\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\47b2ade6\8\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\47b2ade6\8\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\47b2ade6\8\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\47b2ade6\8\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\24949616\10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\24949616\10\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\24949616\10\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\24949616\10\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\24949616\10\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\24949616\10\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.8.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StateSeparation\RedirectionMap\Keys
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\ru-RU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\LanguageOverlay\OverlayPackages\ru-RU\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
HKEY_CURRENT_USER\Control Panel\International
HKEY_CURRENT_USER\Control Panel\International\sYearMonth
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NAT Subsystem
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NAT Subsystem
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.mscorlib.resources_ru-RU_b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5e8c75c\de7da15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3749840076-4109591986-3192690632-1000\Installer\Assemblies\C:|Users|cape|AppData|Local|Temp|91d880890f6e481edcbe.exe
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|cape|AppData|Local|Temp|91d880890f6e481edcbe.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|cape|AppData|Local|Temp|91d880890f6e481edcbe.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3749840076-4109591986-3192690632-1000\Installer\Assemblies\Global
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.mscorlib.resources_ru_b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5e8c75c\2f231edf
HKEY_CLASSES_ROOT\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\AlwaysReadHKCRForCLSIDs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\4ecde57e\31d9ddbb
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\a054161\46043f61
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\219e9581\3b405a35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\219e9581\26de983b
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\InstallationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\11593b27\5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\11593b27\5\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\11593b27\5\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\11593b27\5\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\11593b27\5\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\11593b27\5\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET CLR Networking\Performance\Library
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET CLR Networking\Performance\IsMultiInstance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET CLR Networking\Performance\First Counter
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET CLR Networking\Performance\CategoryOptions
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET CLR Networking\Performance\FileMappingSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET CLR Networking\Performance\Counter Names

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\NGen\Policy\v2.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\indexc\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\indexc\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\cb87bba\1\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\cb87bba\1\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\cb87bba\1\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\cb87bba\1\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\cb87bba\1\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\1910f9b6\2\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\1910f9b6\2\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\1910f9b6\2\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\1910f9b6\2\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\1910f9b6\2\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\2ea32674\7\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\2ea32674\7\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\2ea32674\7\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\2ea32674\7\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\2ea32674\7\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\25f1f8b7\3\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\25f1f8b7\3\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\25f1f8b7\3\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\25f1f8b7\3\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\25f1f8b7\3\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\cc504d5\6\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\cc504d5\6\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\cc504d5\6\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\cc504d5\6\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\cc504d5\6\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7a57f554\1d\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7a57f554\1d\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7a57f554\1d\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7a57f554\1d\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7a57f554\1d\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\620ba200\e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\620ba200\e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\620ba200\e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\620ba200\e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\620ba200\e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\7febb058\1e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\7febb058\1e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\7febb058\1e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\7febb058\1e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\7febb058\1e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\47b2ade6\8\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\47b2ade6\8\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\47b2ade6\8\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\47b2ade6\8\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\47b2ade6\8\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\24949616\10\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\24949616\10\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\24949616\10\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\24949616\10\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\24949616\10\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\LanguageOverlay\OverlayPackages\ru-RU\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
HKEY_CURRENT_USER\Control Panel\International\sYearMonth
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NAT Subsystem
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NAT Subsystem
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\AlwaysReadHKCRForCLSIDs
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\InstallationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\11593b27\5\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\11593b27\5\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\11593b27\5\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\11593b27\5\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\11593b27\5\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET CLR Networking\Performance\Library
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET CLR Networking\Performance\IsMultiInstance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET CLR Networking\Performance\First Counter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET CLR Networking\Performance\CategoryOptions
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET CLR Networking\Performance\FileMappingSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET CLR Networking\Performance\Counter Names

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NAT Subsystem

Local\SM0:6484:168:WilStaging_02
Global\CLR_CASOFF_MUTEX
Global\{80a8cf76-041f-4f9a-8ed2-2be59774b180}
Global\.net clr networking

No results found.

No behavioral analysis data available.

Sorry! No strace.

Sorry! No tracee.

Hosts (0)
DNS (0)

Hosts

No hosts contacted.

TCP Connections

No TCP connections recorded.

UDP Connections

No UDP connections recorded.

DNS Requests

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP Traffic

No SMTP traffic performed.

IRC Traffic

No IRC requests performed.

ICMP Traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

No dropped files found.

No CAPE payloads found.

Sorry! No process dumps.

Detection(s):

Analysis Details

Analysis Log

Process Log

Pre-Script Log

During-Script Log

Machine Information

File Details

Parent File Info

File Information

File Information

Strings

PE Information

Sections

Resources

Imports

mscoree

Statistics 35.38s

Signatures

Screenshots

Hosts

DNS

Summary

Hosts

TCP Connections

UDP Connections

DNS Requests

HTTP Requests

SMTP Traffic

IRC Traffic

ICMP Traffic

CIF Results

Suricata Alerts

Suricata TLS

Suricata HTTP