Detection(s):
NanoCoreAnalysis Details
| Category | Package | Started | Completed | Duration | Logs | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| FILE | exe | 2026-04-28 00:03:23 | 2026-04-28 00:07:29 | 246s |
|
|||||
| Reports | JSON | |||||||||
Analysis Log
2026-03-05 20:34:39,444 [root] INFO: Date set to: 20260428T00:04:27, timeout set to: 120 2026-04-28 00:04:27,166 [root] DEBUG: Starting analyzer from: C:\_g_ewr1x 2026-04-28 00:04:27,244 [root] DEBUG: Storing results at: C:\coVEjD 2026-04-28 00:04:27,275 [root] DEBUG: Pipe server name: \\.\PIPE\bEKvYdteFZ 2026-04-28 00:04:27,322 [root] DEBUG: Python path: C:\Python310 2026-04-28 00:04:27,369 [root] INFO: analysis running as an admin 2026-04-28 00:04:27,385 [root] INFO: analysis package specified: "exe" 2026-04-28 00:04:27,385 [root] DEBUG: importing analysis package module: "modules.packages.exe"... 2026-04-28 00:04:27,416 [root] DEBUG: imported analysis package "exe" 2026-04-28 00:04:27,431 [root] DEBUG: initializing analysis package "exe"... 2026-04-28 00:04:27,447 [lib.common.common] INFO: wrapping 2026-04-28 00:04:27,588 [lib.core.compound] INFO: C:\Users\cape\AppData\Local\Temp already exists, skipping creation 2026-04-28 00:04:27,603 [root] DEBUG: New location of moved file: C:\Users\cape\AppData\Local\Temp\sex1.exe 2026-04-28 00:04:27,619 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option 2026-04-28 00:04:27,619 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option 2026-04-28 00:04:27,619 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option 2026-04-28 00:04:27,619 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option 2026-04-28 00:04:27,760 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser" 2026-04-28 00:04:28,244 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig" 2026-04-28 00:04:28,322 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise" 2026-04-28 00:04:28,432 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human" 2026-04-28 00:04:28,510 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops' 2026-04-28 00:04:28,760 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab' 2026-04-28 00:04:28,885 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw' 2026-04-28 00:04:29,760 [lib.api.screenshot] INFO: Please upgrade Pillow to >= 5.4.1 for best performance 2026-04-28 00:04:29,775 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots" 2026-04-28 00:04:29,775 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump" 2026-04-28 00:04:29,775 [root] DEBUG: Initialized auxiliary module "Browser" 2026-04-28 00:04:29,775 [root] DEBUG: attempting to configure 'Browser' from data 2026-04-28 00:04:29,791 [root] DEBUG: module Browser does not support data configuration, ignoring 2026-04-28 00:04:29,791 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"... 2026-04-28 00:04:29,791 [root] DEBUG: Started auxiliary module modules.auxiliary.browser 2026-04-28 00:04:29,791 [root] DEBUG: Initialized auxiliary module "DigiSig" 2026-04-28 00:04:29,791 [root] DEBUG: attempting to configure 'DigiSig' from data 2026-04-28 00:04:29,807 [root] DEBUG: module DigiSig does not support data configuration, ignoring 2026-04-28 00:04:29,807 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"... 2026-04-28 00:04:29,807 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature 2026-04-28 00:04:58,182 [modules.auxiliary.digisig] DEBUG: File is not signed 2026-04-28 00:04:58,182 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json 2026-04-28 00:04:58,197 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig 2026-04-28 00:04:58,197 [root] DEBUG: Initialized auxiliary module "Disguise" 2026-04-28 00:04:58,197 [root] DEBUG: attempting to configure 'Disguise' from data 2026-04-28 00:04:58,197 [root] DEBUG: module Disguise does not support data configuration, ignoring 2026-04-28 00:04:58,197 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"... 2026-04-28 00:04:58,244 [modules.auxiliary.disguise] INFO: Disguising GUID to f3037635-6191-4c44-bd96-905f1b4feafd 2026-04-28 00:04:58,260 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise 2026-04-28 00:04:58,260 [root] DEBUG: Initialized auxiliary module "Human" 2026-04-28 00:04:58,260 [root] DEBUG: attempting to configure 'Human' from data 2026-04-28 00:04:58,260 [root] DEBUG: module Human does not support data configuration, ignoring 2026-04-28 00:04:58,260 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"... 2026-04-28 00:04:58,275 [root] DEBUG: Started auxiliary module modules.auxiliary.human 2026-04-28 00:04:58,275 [root] DEBUG: Initialized auxiliary module "Screenshots" 2026-04-28 00:04:58,275 [root] DEBUG: attempting to configure 'Screenshots' from data 2026-04-28 00:04:58,275 [root] DEBUG: module Screenshots does not support data configuration, ignoring 2026-04-28 00:04:58,275 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"... 2026-04-28 00:04:58,325 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots 2026-04-28 00:04:58,338 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets" 2026-04-28 00:04:58,432 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data 2026-04-28 00:04:58,432 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring 2026-04-28 00:04:58,432 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"... 2026-04-28 00:04:58,447 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 644 2026-04-28 00:04:58,619 [lib.api.process] INFO: Monitor config for <Process 644 lsass.exe>: C:\_g_ewr1x\dll\644.ini 2026-04-28 00:04:58,619 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor 2026-04-28 00:04:58,744 [lib.api.process] INFO: 64-bit DLL to inject is C:\_g_ewr1x\dll\wIazzoy.dll, loader C:\_g_ewr1x\bin\fSDEQCOs.exe 2026-04-28 00:04:58,838 [root] DEBUG: Loader: Injecting process 644 with C:\_g_ewr1x\dll\wIazzoy.dll. 2026-04-28 00:04:59,713 [root] DEBUG: 644: Python path set to 'C:\Python310'. 2026-04-28 00:04:59,995 [root] DEBUG: 644: Disabling sleep skipping. 2026-04-28 00:05:00,057 [root] DEBUG: 644: TLS secret dump mode enabled. 2026-04-28 00:05:00,385 [root] DEBUG: 644: RtlInsertInvertedFunctionTable 0x00007FFEFE86090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEFE9BD500 2026-04-28 00:05:00,416 [root] DEBUG: 644: Monitor initialised: 64-bit capemon loaded in process 644 at 0x00007FFEABBA0000, thread 4908, image base 0x00007FF7C23E0000, stack from 0x0000008E4CA72000-0x0000008E4CA80000 2026-04-28 00:05:00,432 [root] DEBUG: 644: Commandline: C:\Windows\system32\lsass.exe 2026-04-28 00:05:00,494 [root] DEBUG: 644: Hooked 5 out of 5 functions 2026-04-28 00:05:00,557 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread. 2026-04-28 00:05:00,682 [root] DEBUG: Successfully injected DLL C:\_g_ewr1x\dll\wIazzoy.dll. 2026-04-28 00:05:00,698 [lib.api.process] INFO: Injected into 64-bit <Process 644 lsass.exe> 2026-04-28 00:05:00,698 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump 2026-04-28 00:05:00,807 [root] DEBUG: 644: TLS 1.2 secrets logged to: C:\coVEjD\tlsdump\tlsdump.log 2026-04-28 00:05:08,494 [root] INFO: Restarting WMI Service 2026-04-28 00:05:10,744 [root] DEBUG: package modules.packages.exe does not support configure, ignoring 2026-04-28 00:05:10,775 [root] WARNING: configuration error for package modules.packages.exe: error importing data.packages.exe: No module named 'data.packages' 2026-04-28 00:05:10,775 [lib.core.compound] INFO: C:\Users\cape\AppData\Local\Temp already exists, skipping creation 2026-04-28 00:05:10,932 [lib.api.process] INFO: Successfully executed process from path "C:\Users\cape\AppData\Local\Temp\sex1.exe" with arguments "" with pid 6648 2026-04-28 00:05:10,932 [lib.api.process] INFO: Monitor config for <Process 6648 sex1.exe>: C:\_g_ewr1x\dll\6648.ini 2026-04-28 00:05:10,947 [lib.api.process] INFO: 32-bit DLL to inject is C:\_g_ewr1x\dll\zbBXAj.dll, loader C:\_g_ewr1x\bin\oNunBip.exe 2026-04-28 00:05:11,135 [root] DEBUG: Loader: Injecting process 6648 (thread 6700) with C:\_g_ewr1x\dll\zbBXAj.dll. 2026-04-28 00:05:11,135 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC. 2026-04-28 00:05:11,135 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued. 2026-04-28 00:05:11,135 [root] DEBUG: Successfully injected DLL C:\_g_ewr1x\dll\zbBXAj.dll. 2026-04-28 00:05:11,150 [lib.api.process] INFO: Injected into 32-bit <Process 6648 sex1.exe> 2026-04-28 00:05:13,182 [lib.api.process] INFO: Successfully resumed <Process 6648 sex1.exe> 2026-04-28 00:05:13,619 [root] DEBUG: 6648: Python path set to 'C:\Python310'. 2026-04-28 00:05:13,697 [root] DEBUG: 6648: Disabling sleep skipping. 2026-04-28 00:05:13,697 [root] DEBUG: 6648: Dropped file limit defaulting to 100. 2026-04-28 00:05:13,728 [root] DEBUG: 6648: YaraInit: Compiled 44 rule files 2026-04-28 00:05:13,744 [root] DEBUG: 6648: YaraInit: Compiled rules saved to file C:\_g_ewr1x\data\yara\capemon.yac 2026-04-28 00:05:13,744 [root] DEBUG: 6648: YaraScan: Scanning 0x00610000, size 0x1f0 2026-04-28 00:05:13,744 [root] DEBUG: 6648: Monitor initialised: 32-bit capemon loaded in process 6648 at 0x73ea0000, thread 6700, image base 0x610000, stack from 0x7d2000-0x7e0000 2026-04-28 00:05:13,761 [root] DEBUG: 6648: Commandline: "C:\Users\cape\AppData\Local\Temp\sex1.exe" 2026-04-28 00:05:13,900 [root] DEBUG: 6648: hook_api: LdrpCallInitRoutine export address 0x77EB2A40 obtained via GetFunctionAddress 2026-04-28 00:05:14,010 [root] DEBUG: 6648: hook_api: Warning - SetWindowLongW export address 0x75D45420 differs from GetProcAddress -> 0x750E59E0 (apphelp.dll::0xff3d59e0) 2026-04-28 00:05:14,025 [root] DEBUG: 6648: hook_api: Warning - EnumDisplayDevicesA export address 0x75D395A0 differs from GetProcAddress -> 0x750E6780 (apphelp.dll::0xff3d6780) 2026-04-28 00:05:14,057 [root] DEBUG: 6648: hook_api: Warning - EnumDisplayDevicesW export address 0x75D4FB70 differs from GetProcAddress -> 0x7510E4D0 (apphelp.dll::0xff3fe4d0) 2026-04-28 00:05:14,072 [root] WARNING: b'Unable to place hook on GetCommandLineA' 2026-04-28 00:05:14,072 [root] DEBUG: 6648: set_hooks: Unable to hook GetCommandLineA 2026-04-28 00:05:14,072 [root] WARNING: b'Unable to place hook on GetCommandLineW' 2026-04-28 00:05:14,089 [root] DEBUG: 6648: set_hooks: Unable to hook GetCommandLineW 2026-04-28 00:05:14,166 [root] DEBUG: 6648: Hooked 630 out of 632 functions 2026-04-28 00:05:14,182 [root] DEBUG: 6648: Syscall hook installed, syscall logging level 1 2026-04-28 00:05:14,197 [root] INFO: Loaded monitor into process with pid 6648 2026-04-28 00:05:14,307 [root] DEBUG: 6648: DLL loaded at 0x73E10000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x8d000 bytes). 2026-04-28 00:05:14,447 [root] DEBUG: 6648: set_hooks_by_export_directory: Hooked 0 out of 632 functions 2026-04-28 00:05:14,463 [root] DEBUG: 6648: DLL loaded at 0x75250000: C:\Windows\SYSTEM32\kernel.appcore (0xf000 bytes). 2026-04-28 00:05:14,463 [root] DEBUG: 6648: DLL loaded at 0x75460000: C:\Windows\SYSTEM32\VERSION (0x8000 bytes). 2026-04-28 00:05:16,010 [root] DEBUG: 6648: InstrumentationCallback: Added region at 0x76AD24AC (base 0x76AB0000) to tracked regions list (thread 6700). 2026-04-28 00:05:16,010 [root] DEBUG: 6648: ProcessTrackedRegion: Region at 0x76AB0000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\kernel32.dll is in known range, skipping 2026-04-28 00:05:16,385 [root] DEBUG: 6648: DLL loaded at 0x73740000: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80 (0x9b000 bytes). 2026-04-28 00:05:16,400 [root] DEBUG: 6648: set_hooks_by_export_directory: Hooked 0 out of 632 functions 2026-04-28 00:05:16,400 [root] DEBUG: 6648: DLL loaded at 0x737E0000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks (0x621000 bytes). 2026-04-28 00:05:17,698 [root] DEBUG: 6648: AllocationHandler: Adding allocation to tracked region list: 0x0290A000, size: 0x1000. 2026-04-28 00:05:17,698 [root] DEBUG: 6648: GetEntropy: Error - Supplied address inaccessible: 0x02900000 2026-04-28 00:05:17,698 [root] DEBUG: 6648: AddTrackedRegion: GetEntropy failed. 2026-04-28 00:05:17,698 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x02900000. 2026-04-28 00:05:17,744 [root] DEBUG: 6648: DLL loaded at 0x77590000: C:\Windows\System32\shell32 (0x5b5000 bytes). 2026-04-28 00:05:17,760 [root] DEBUG: 6648: DLL loaded at 0x756D0000: C:\Windows\SYSTEM32\Wldp (0x27000 bytes). 2026-04-28 00:05:17,775 [root] DEBUG: 6648: DLL loaded at 0x75700000: C:\Windows\SYSTEM32\windows.storage (0x60d000 bytes). 2026-04-28 00:05:17,775 [root] DEBUG: 6648: DLL loaded at 0x76F70000: C:\Windows\System32\SHCORE (0x87000 bytes). 2026-04-28 00:05:18,447 [root] DEBUG: 6648: InstrumentationCallback: Added region at 0x772833EC (base 0x77150000) to tracked regions list (thread 6700). 2026-04-28 00:05:18,463 [root] DEBUG: 6648: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping 2026-04-28 00:05:18,494 [root] DEBUG: 6648: DLL loaded at 0x75260000: C:\Windows\SYSTEM32\profapi (0x18000 bytes). 2026-04-28 00:05:19,150 [root] DEBUG: 6648: DLL loaded at 0x72C40000: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\07fedecf3b964c4d26a6ec994226efe4\mscorlib.ni (0xb00000 bytes). 2026-04-28 00:05:19,385 [root] DEBUG: 6648: AllocationHandler: Adding allocation to tracked region list: 0x02922000, size: 0x1000. 2026-04-28 00:05:19,385 [root] DEBUG: 6648: GetEntropy: Error - Supplied address inaccessible: 0x02920000 2026-04-28 00:05:19,400 [root] DEBUG: 6648: AddTrackedRegion: GetEntropy failed. 2026-04-28 00:05:19,807 [root] DEBUG: 6648: DLL loaded at 0x76D80000: C:\Windows\System32\bcryptPrimitives (0x5f000 bytes). 2026-04-28 00:05:19,807 [root] DEBUG: 6648: DLL loaded at 0x745D0000: C:\Windows\system32\uxtheme (0x74000 bytes). 2026-04-28 00:05:20,119 [root] DEBUG: 6648: caller_dispatch: Added region at 0x02910000 to tracked regions list (kernel32::SetErrorMode returns to 0x02910626, thread 6700). 2026-04-28 00:05:20,119 [root] DEBUG: 6648: DumpPEsInRange: Scanning range 0x02910000 - 0x02910FFE. 2026-04-28 00:05:20,119 [root] DEBUG: 6648: ScanForDisguisedPE: No PE image located in range 0x02910000-0x02910FFE. 2026-04-28 00:05:20,183 [lib.common.results] INFO: Uploading file C:\coVEjD\CAPE\6648_12552922052127142026 to CAPE\67a4e4961f92079cfb03d908719e99c6c09b74279b0e37b9d7eea541659f3957; Size is 4094; Max size: 100000000 2026-04-28 00:05:20,183 [root] DEBUG: 6648: DumpMemory: Payload successfully created: C:\coVEjD\CAPE\6648_12552922052127142026 (size 4094 bytes) 2026-04-28 00:05:20,199 [root] DEBUG: 6648: DumpRegion: Dumped entire allocation from 0x02910000, size 4096 bytes. 2026-04-28 00:05:20,199 [root] DEBUG: 6648: ProcessTrackedRegion: Dumped region at 0x02910000. 2026-04-28 00:05:20,213 [root] DEBUG: 6648: YaraScan: Scanning 0x02910000, size 0xffe 2026-04-28 00:05:20,213 [root] DEBUG: 6648: ReverseScanForNonZero: Error - Supplied size zero. 2026-04-28 00:05:20,263 [lib.common.results] INFO: Uploading file C:\coVEjD\CAPE\6648_16854692052127142026 to CAPE\157b063a2a5ecda11353d506c46d65fac9350decc6f97df21fb48dc66a8a4c99; Size is 354; Max size: 100000000 2026-04-28 00:05:20,291 [root] DEBUG: 6648: DumpMemory: Payload successfully created: C:\coVEjD\CAPE\6648_16854692052127142026 (size 354 bytes) 2026-04-28 00:05:20,291 [root] DEBUG: 6648: DumpRegion: Dumped region at 0x0290A000, size 4096 bytes. 2026-04-28 00:05:20,308 [root] DEBUG: 6648: ProcessTrackedRegion: Dumped region at 0x0290A000. 2026-04-28 00:05:20,308 [root] DEBUG: 6648: ReverseScanForNonZero: Error - Supplied address inaccessible: 0x02900FFF 2026-04-28 00:05:20,324 [root] DEBUG: 6648: YaraScan: Nothing to scan at 0x0290A000! 2026-04-28 00:05:20,588 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x02920000. 2026-04-28 00:05:20,713 [root] DEBUG: 6648: AllocationHandler: Adding allocation to tracked region list: 0x0408B000, size: 0x1000. 2026-04-28 00:05:20,730 [root] DEBUG: 6648: GetEntropy: Error - Supplied address inaccessible: 0x04080000 2026-04-28 00:05:20,744 [root] DEBUG: 6648: AddTrackedRegion: GetEntropy failed. 2026-04-28 00:05:20,744 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x04080000. 2026-04-28 00:05:21,541 [root] DEBUG: 6648: DLL loaded at 0x72490000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\c60dd1ee843ba8ff9ee7edcd6302393b\System.ni (0x7a8000 bytes). 2026-04-28 00:05:22,073 [root] DEBUG: 6648: DLL loaded at 0x72300000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\a03dd8871929955c680232682c9464a0\System.Drawing.ni (0x189000 bytes). 2026-04-28 00:05:22,338 [root] DEBUG: 6648: DLL loaded at 0x71720000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\194e1e92bfae5396086518c2ec0a0f74\System.Windows.Forms.ni (0xbe0000 bytes). 2026-04-28 00:05:22,557 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x02920000. 2026-04-28 00:05:22,666 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x02920000. 2026-04-28 00:05:22,697 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x02920000. 2026-04-28 00:05:22,697 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x02920000. 2026-04-28 00:05:22,807 [root] DEBUG: 6648: ProcessTrackedRegion: Region at 0x76AB0000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\kernel32.dll is in known range, skipping 2026-04-28 00:05:22,900 [root] DEBUG: 6648: DLL loaded at 0x716C0000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit (0x5b000 bytes). 2026-04-28 00:05:23,729 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x02920000. 2026-04-28 00:05:24,057 [root] DEBUG: 6648: AllocationHandler: Adding allocation to tracked region list: 0x051E0000, size: 0x1000. 2026-04-28 00:05:24,072 [root] DEBUG: 6648: AddTrackedRegion: GetEntropy failed. 2026-04-28 00:05:24,916 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x02920000. 2026-04-28 00:05:25,510 [root] DEBUG: 6648: DumpPEsInRange: Scanning range 0x051E0000 - 0x051E0564. 2026-04-28 00:05:25,541 [root] DEBUG: 6648: ScanForDisguisedPE: Size too small: 0x564 bytes 2026-04-28 00:05:25,588 [lib.common.results] INFO: Uploading file C:\coVEjD\CAPE\6648_83059732552127142026 to CAPE\7902243f3a376bfaa57345f4323c5ae18f5f180ad0fd75395f6a3344bab889d5; Size is 1380; Max size: 100000000 2026-04-28 00:05:25,619 [root] DEBUG: 6648: DumpMemory: Payload successfully created: C:\coVEjD\CAPE\6648_83059732552127142026 (size 1380 bytes) 2026-04-28 00:05:25,650 [root] DEBUG: 6648: DumpRegion: Dumped entire allocation from 0x051E0000, size 4096 bytes. 2026-04-28 00:05:25,713 [root] DEBUG: 6648: ProcessTrackedRegion: Dumped region at 0x051E0000. 2026-04-28 00:05:25,728 [root] DEBUG: 6648: YaraScan: Scanning 0x051E0000, size 0x564 2026-04-28 00:05:25,760 [root] DEBUG: 6648: AllocationHandler: Adding allocation to tracked region list: 0x7F6C0000, size: 0x50000. 2026-04-28 00:05:25,760 [root] DEBUG: 6648: GetEntropy: Error - Supplied address inaccessible: 0x7F6C0000 2026-04-28 00:05:25,775 [root] DEBUG: 6648: AddTrackedRegion: GetEntropy failed. 2026-04-28 00:05:25,791 [root] DEBUG: 6648: AllocationHandler: Processing previous tracked region at: 0x051E0000. 2026-04-28 00:05:25,807 [root] DEBUG: 6648: ProcessTrackedRegion: Updated entropy for tracked region at 0x051E0000: 2.795399e+00 (from 0.000000e+00) 2026-04-28 00:05:25,838 [root] DEBUG: 6648: DumpPEsInRange: Scanning range 0x051E0000 - 0x051E0564. 2026-04-28 00:05:25,854 [root] DEBUG: 6648: ScanForDisguisedPE: Size too small: 0x564 bytes 2026-04-28 00:05:25,869 [lib.common.results] INFO: Uploading file C:\coVEjD\CAPE\6648_253945442552127142026 to CAPE\7902243f3a376bfaa57345f4323c5ae18f5f180ad0fd75395f6a3344bab889d5; Size is 1380; Max size: 100000000 2026-04-28 00:05:25,916 [root] DEBUG: 6648: DumpMemory: Payload successfully created: C:\coVEjD\CAPE\6648_253945442552127142026 (size 1380 bytes) 2026-04-28 00:05:26,119 [root] DEBUG: 6648: DumpRegion: Dumped entire allocation from 0x051E0000, size 4096 bytes. 2026-04-28 00:05:26,135 [root] DEBUG: 6648: ProcessTrackedRegion: Dumped region at 0x051E0000. 2026-04-28 00:05:26,150 [root] DEBUG: 6648: YaraScan: Scanning 0x051E0000, size 0x564 2026-04-28 00:05:26,150 [root] DEBUG: 6648: AllocationHandler: Memory region (size 0x50000) reserved but not committed at 0x7F6C0000. 2026-04-28 00:05:26,166 [root] DEBUG: 6648: AllocationHandler: Previously reserved region at 0x7F6C0000, committing at: 0x7F6C0000. 2026-04-28 00:05:26,166 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x7F6C0000. 2026-04-28 00:05:26,182 [root] DEBUG: 6648: AllocationHandler: Adding allocation to tracked region list: 0x7F6B0000, size: 0x10000. 2026-04-28 00:05:26,182 [root] DEBUG: 6648: GetEntropy: Error - Supplied address inaccessible: 0x7F6B0000 2026-04-28 00:05:26,260 [root] DEBUG: 6648: AddTrackedRegion: GetEntropy failed. 2026-04-28 00:05:26,322 [root] DEBUG: 6648: AllocationHandler: Processing previous tracked region at: 0x7F6C0000. 2026-04-28 00:05:26,338 [root] DEBUG: 6648: DumpPEsInRange: Scanning range 0x7F6C0000 - 0x7F6C002C. 2026-04-28 00:05:26,369 [root] DEBUG: 6648: ScanForDisguisedPE: Size too small: 0x2c bytes 2026-04-28 00:05:26,525 [lib.common.results] INFO: Uploading file C:\coVEjD\CAPE\6648_36200322652127142026 to CAPE\6a4a38c4482e414c906feff2bcb47d46b8ed525c6b88eff38080f494a7163a1b; Size is 44; Max size: 100000000 2026-04-28 00:05:26,557 [root] DEBUG: 6648: DumpMemory: Payload successfully created: C:\coVEjD\CAPE\6648_36200322652127142026 (size 44 bytes) 2026-04-28 00:05:26,557 [root] DEBUG: 6648: DumpRegion: Dumped entire allocation from 0x7F6C0000, size 4096 bytes. 2026-04-28 00:05:26,572 [root] DEBUG: 6648: ProcessTrackedRegion: Dumped region at 0x7F6C0000. 2026-04-28 00:05:26,588 [root] DEBUG: 6648: YaraScan: Scanning 0x7F6C0000, size 0x2c 2026-04-28 00:05:26,603 [root] DEBUG: 6648: AllocationHandler: Memory region (size 0x10000) reserved but not committed at 0x7F6B0000. 2026-04-28 00:05:26,619 [root] DEBUG: 6648: AllocationHandler: Previously reserved region at 0x7F6B0000, committing at: 0x7F6B0000. 2026-04-28 00:05:28,182 [root] DEBUG: 6648: AllocationHandler: Adding allocation to tracked region list: 0x0407A000, size: 0x1000. 2026-04-28 00:05:30,947 [root] DEBUG: 6648: AllocationHandler: Adding allocation to tracked region list: 0x0293A000, size: 0x1000. 2026-04-28 00:05:30,963 [root] DEBUG: 6648: GetEntropy: Error - Supplied address inaccessible: 0x02930000 2026-04-28 00:05:30,994 [root] DEBUG: 6648: AddTrackedRegion: GetEntropy failed. 2026-04-28 00:05:31,010 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x02930000. 2026-04-28 00:05:32,510 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x02900000. 2026-04-28 00:05:33,369 [root] DEBUG: 6648: ProcessTrackedRegion: Region at 0x76AB0000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\kernel32.dll is in known range, skipping 2026-04-28 00:05:34,322 [root] DEBUG: 6648: DLL loaded at 0x76BA0000: C:\Windows\System32\MSCTF (0xd4000 bytes). 2026-04-28 00:05:35,229 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x02930000. 2026-04-28 00:05:36,791 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x02920000. 2026-04-28 00:05:39,025 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x02920000. 2026-04-28 00:05:39,886 [root] DEBUG: 6648: DLL loaded at 0x75280000: C:\Windows\SYSTEM32\CRYPTSP (0x13000 bytes). 2026-04-28 00:05:39,900 [root] DEBUG: 6648: DLL loaded at 0x74C10000: C:\Windows\system32\rsaenh (0x2f000 bytes). 2026-04-28 00:05:39,900 [root] DEBUG: 6648: AllocationHandler: Adding allocation to tracked region list: 0x077F0000, size: 0x1000. 2026-04-28 00:05:39,900 [root] DEBUG: 6648: AddTrackedRegion: GetEntropy failed. 2026-04-28 00:05:40,510 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x051E0000. 2026-04-28 00:05:40,807 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x04080000. 2026-04-28 00:05:42,900 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x051E0000. 2026-04-28 00:05:43,557 [root] DEBUG: 6648: AllocationHandler: Adding allocation to tracked region list: 0x07800000, size: 0x1000. 2026-04-28 00:05:43,572 [root] DEBUG: 6648: AddTrackedRegion: GetEntropy failed. 2026-04-28 00:05:44,057 [root] DEBUG: 6648: AllocationHandler: Adding allocation to tracked region list: 0x079B1000, size: 0x1000. 2026-04-28 00:05:45,057 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x079B0000. 2026-04-28 00:05:45,776 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x079B0000. 2026-04-28 00:05:45,791 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x079B0000. 2026-04-28 00:05:45,791 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x079B0000. 2026-04-28 00:05:45,807 [root] DEBUG: 6648: AllocationHandler: Adding allocation to tracked region list: 0x07810000, size: 0x8000. 2026-04-28 00:05:45,807 [root] DEBUG: 6648: GetEntropy: Error - Supplied address inaccessible: 0x07810000 2026-04-28 00:05:45,807 [root] DEBUG: 6648: AddTrackedRegion: GetEntropy failed. 2026-04-28 00:05:45,822 [root] DEBUG: 6648: AllocationHandler: Processing previous tracked region at: 0x079B0000. 2026-04-28 00:05:45,822 [root] DEBUG: 6648: DumpPEsInRange: Scanning range 0x079B0000 - 0x079B7FFE. 2026-04-28 00:05:45,822 [root] DEBUG: 6648: ScanForDisguisedPE: No PE image located in range 0x079B0000-0x079B7FFE. 2026-04-28 00:05:45,838 [lib.common.results] INFO: Uploading file C:\coVEjD\CAPE\6648_219745264552127142026 to CAPE\c53c9857218e56767da2dc2ef8fb81c512704e4023339b58d91ba52cdf903dca; Size is 32766; Max size: 100000000 2026-04-28 00:05:45,838 [root] DEBUG: 6648: DumpMemory: Payload successfully created: C:\coVEjD\CAPE\6648_219745264552127142026 (size 32766 bytes) 2026-04-28 00:05:45,838 [root] DEBUG: 6648: DumpRegion: Dumped entire allocation from 0x079B0000, size 32768 bytes. 2026-04-28 00:05:45,853 [root] DEBUG: 6648: ProcessTrackedRegion: Dumped region at 0x079B0000. 2026-04-28 00:05:45,853 [root] DEBUG: 6648: YaraScan: Scanning 0x079B0000, size 0x7ffe 2026-04-28 00:05:45,853 [root] DEBUG: 6648: AllocationHandler: Memory region (size 0x8000) reserved but not committed at 0x07810000. 2026-04-28 00:05:45,853 [root] DEBUG: 6648: AllocationHandler: Previously reserved region at 0x07810000, committing at: 0x07810000. 2026-04-28 00:05:46,166 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x079B0000. 2026-04-28 00:05:46,166 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x079B0000. 2026-04-28 00:05:47,338 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x051E0000. 2026-04-28 00:05:48,525 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x051E0000. 2026-04-28 00:05:48,853 [root] DEBUG: 6648: DumpPEsInRange: Scanning range 0x077F0000 - 0x077F020C. 2026-04-28 00:05:48,853 [root] DEBUG: 6648: ScanForDisguisedPE: Size too small: 0x20c bytes 2026-04-28 00:05:48,869 [lib.common.results] INFO: Uploading file C:\coVEjD\CAPE\6648_187460684852127142026 to CAPE\5131cc93670f51e88960065f7bb8df32f8381db790c5a1ab3de61f19dec14c5f; Size is 524; Max size: 100000000 2026-04-28 00:05:48,885 [root] DEBUG: 6648: DumpMemory: Payload successfully created: C:\coVEjD\CAPE\6648_187460684852127142026 (size 524 bytes) 2026-04-28 00:05:48,995 [root] DEBUG: 6648: DumpRegion: Dumped entire allocation from 0x077F0000, size 4096 bytes. 2026-04-28 00:05:48,995 [root] DEBUG: 6648: ProcessTrackedRegion: Dumped region at 0x077F0000. 2026-04-28 00:05:48,995 [root] DEBUG: 6648: YaraScan: Scanning 0x077F0000, size 0x20c 2026-04-28 00:05:49,744 [root] DEBUG: 6648: DLL loaded at 0x71650000: C:\Windows\SYSTEM32\shfolder (0x6000 bytes). 2026-04-28 00:05:50,088 [root] INFO: Added new file to list with pid 6648 and path C:\Users\cape\AppData\Roaming\F3037635-6191-4C44-BD96-905F1B4FEAFD\run.dat 2026-04-28 00:05:50,104 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x051E0000. 2026-04-28 00:05:50,104 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x07800000. 2026-04-28 00:05:50,510 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x04070000. 2026-04-28 00:05:50,525 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x04070000. 2026-04-28 00:05:50,572 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x02920000. 2026-04-28 00:05:50,838 [root] DEBUG: 6648: DLL loaded at 0x71620000: C:\Windows\SYSTEM32\ntmarta (0x29000 bytes). 2026-04-28 00:05:50,838 [root] INFO: Added new file to list with pid 6648 and path C:\Program Files (x86)\WAN Manager\wanmgr.exe 2026-04-28 00:05:51,463 [root] DEBUG: 6648: ProcessTrackedRegion: Region at 0x76AB0000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\kernel32.dll is in known range, skipping 2026-04-28 00:05:51,463 [root] DEBUG: 6648: DLL loaded at 0x71610000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\culture (0x8000 bytes). 2026-04-28 00:05:52,244 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x051E0000. 2026-04-28 00:05:52,276 [root] DEBUG: 6648: AllocationHandler: Adding allocation to tracked region list: 0x07B00000, size: 0x100000. 2026-04-28 00:05:52,291 [root] DEBUG: 6648: GetEntropy: Error - Supplied address inaccessible: 0x07B00000 2026-04-28 00:05:52,307 [root] DEBUG: 6648: AddTrackedRegion: GetEntropy failed. 2026-04-28 00:05:52,307 [root] DEBUG: 6648: AllocationHandler: Processing previous tracked region at: 0x07810000. 2026-04-28 00:05:52,326 [root] DEBUG: 6648: DumpPEsInRange: Scanning range 0x07810000 - 0x078108C9. 2026-04-28 00:05:52,326 [root] DEBUG: 6648: ScanForDisguisedPE: No PE image located in range 0x07810000-0x078108C9. 2026-04-28 00:05:52,340 [lib.common.results] INFO: Uploading file C:\coVEjD\CAPE\6648_77216365252127142026 to CAPE\93da0626e38b0f52be088e4e0960b629ba52a39a2ca07e32b131a24d489d513d; Size is 2249; Max size: 100000000 2026-04-28 00:05:52,340 [root] DEBUG: 6648: DumpMemory: Payload successfully created: C:\coVEjD\CAPE\6648_77216365252127142026 (size 2249 bytes) 2026-04-28 00:05:52,340 [root] DEBUG: 6648: DumpRegion: Dumped entire allocation from 0x07810000, size 4096 bytes. 2026-04-28 00:05:52,354 [root] DEBUG: 6648: ProcessTrackedRegion: Dumped region at 0x07810000. 2026-04-28 00:05:52,354 [root] DEBUG: 6648: YaraScan: Scanning 0x07810000, size 0x8c9 2026-04-28 00:05:52,354 [root] DEBUG: 6648: AllocationHandler: Memory region (size 0x100000) reserved but not committed at 0x07B00000. 2026-04-28 00:05:52,372 [root] DEBUG: 6648: AllocationHandler: Previously reserved region at 0x07B00000, committing at: 0x07B00000. 2026-04-28 00:05:52,994 [root] DEBUG: 6648: ProcessTrackedRegion: Region at 0x76AB0000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\kernel32.dll is in known range, skipping 2026-04-28 00:05:53,041 [root] DEBUG: 6648: DLL loaded at 0x71590000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\diasymreader (0x8d000 bytes). 2026-04-28 00:05:54,510 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x02900000. 2026-04-28 00:05:54,541 [root] INFO: Added new file to list with pid 6648 and path C:\Users\cape\AppData\Local\Temp\tmp16B1.tmp 2026-04-28 00:05:55,635 [root] DEBUG: 6648: CreateProcessHandler: Injection info set for new process 3884: C:\Windows\SYSTEM32\schtasks.exe, ImageBase: 0x009E0000 2026-04-28 00:05:55,635 [root] INFO: Announced 32-bit process name: schtasks.exe pid: 3884 2026-04-28 00:05:55,635 [lib.api.process] INFO: Monitor config for <Process 3884 schtasks.exe>: C:\_g_ewr1x\dll\3884.ini 2026-04-28 00:05:55,650 [lib.api.process] INFO: 32-bit DLL to inject is C:\_g_ewr1x\dll\zbBXAj.dll, loader C:\_g_ewr1x\bin\oNunBip.exe 2026-04-28 00:05:55,682 [root] DEBUG: Loader: Injecting process 3884 (thread 1828) with C:\_g_ewr1x\dll\zbBXAj.dll. 2026-04-28 00:05:55,760 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT. 2026-04-28 00:05:55,775 [root] DEBUG: Successfully injected DLL C:\_g_ewr1x\dll\zbBXAj.dll. 2026-04-28 00:05:55,775 [lib.api.process] INFO: Injected into 32-bit <Process 3884 schtasks.exe> 2026-04-28 00:05:55,807 [root] DEBUG: 6648: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping 2026-04-28 00:05:56,197 [root] DEBUG: 3884: Python path set to 'C:\Python310'. 2026-04-28 00:05:56,197 [root] DEBUG: 3884: Disabling sleep skipping. 2026-04-28 00:05:56,197 [root] DEBUG: 3884: Dropped file limit defaulting to 100. 2026-04-28 00:05:56,244 [root] DEBUG: 3884: YaraInit: Compiled rules loaded from existing file C:\_g_ewr1x\data\yara\capemon.yac 2026-04-28 00:05:56,260 [root] DEBUG: 3884: YaraScan: Scanning 0x009E0000, size 0x3198c 2026-04-28 00:05:56,260 [root] DEBUG: 3884: Monitor initialised: 32-bit capemon loaded in process 3884 at 0x73ea0000, thread 1828, image base 0x9e0000, stack from 0x2ae4000-0x2af0000 2026-04-28 00:05:56,260 [root] DEBUG: 3884: Commandline: "schtasks.exe" /create /f /tn "WAN Manager" /xml "C:\Users\cape\AppData\Local\Temp\tmp16B1.tmp" 2026-04-28 00:05:56,369 [root] DEBUG: 3884: hook_api: LdrpCallInitRoutine export address 0x77EB2A40 obtained via GetFunctionAddress 2026-04-28 00:05:56,447 [root] WARNING: b'Unable to place hook on GetCommandLineA' 2026-04-28 00:05:56,463 [root] DEBUG: 3884: set_hooks: Unable to hook GetCommandLineA 2026-04-28 00:05:56,482 [root] WARNING: b'Unable to place hook on GetCommandLineW' 2026-04-28 00:05:56,482 [root] DEBUG: 3884: set_hooks: Unable to hook GetCommandLineW 2026-04-28 00:05:56,510 [root] DEBUG: 3884: Hooked 630 out of 632 functions 2026-04-28 00:05:56,510 [root] DEBUG: 3884: Syscall hook installed, syscall logging level 1 2026-04-28 00:05:56,526 [root] DEBUG: 3884: RestoreHeaders: Restored original import table. 2026-04-28 00:05:56,526 [root] INFO: Loaded monitor into process with pid 3884 2026-04-28 00:05:56,541 [root] DEBUG: 3884: caller_dispatch: Added region at 0x009E0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x00A0022A, thread 1828). 2026-04-28 00:05:56,541 [root] DEBUG: 3884: YaraScan: Scanning 0x009E0000, size 0x3198c 2026-04-28 00:05:56,558 [root] DEBUG: 3884: ProcessImageBase: Main module image at 0x009E0000 unmodified (entropy change 0.000000e+00) 2026-04-28 00:05:56,650 [root] DEBUG: 3884: InstrumentationCallback: Added region at 0x772833EC (base 0x77150000) to tracked regions list (thread 1828). 2026-04-28 00:05:56,666 [root] DEBUG: 3884: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping 2026-04-28 00:05:56,697 [root] DEBUG: 3884: set_hooks_by_export_directory: Hooked 0 out of 632 functions 2026-04-28 00:05:56,713 [root] DEBUG: 3884: DLL loaded at 0x75250000: C:\Windows\SYSTEM32\kernel.appcore (0xf000 bytes). 2026-04-28 00:05:56,713 [root] DEBUG: 3884: DLL loaded at 0x76D80000: C:\Windows\System32\bcryptPrimitives (0x5f000 bytes). 2026-04-28 00:05:56,730 [root] INFO: Stopping Task Scheduler Service 2026-04-28 00:05:56,808 [root] INFO: Stopped Task Scheduler Service 2026-04-28 00:05:56,838 [root] INFO: Starting Task Scheduler Service 2026-04-28 00:05:56,947 [root] INFO: Started Task Scheduler Service 2026-04-28 00:05:56,947 [lib.api.process] INFO: Monitor config for <Process 1052 svchost.exe>: C:\_g_ewr1x\dll\1052.ini 2026-04-28 00:05:57,010 [lib.api.process] INFO: 64-bit DLL to inject is C:\_g_ewr1x\dll\wIazzoy.dll, loader C:\_g_ewr1x\bin\fSDEQCOs.exe 2026-04-28 00:05:57,041 [root] DEBUG: Loader: Injecting process 1052 with C:\_g_ewr1x\dll\wIazzoy.dll. 2026-04-28 00:05:57,041 [root] DEBUG: 1052: Python path set to 'C:\Python310'. 2026-04-28 00:05:57,041 [root] DEBUG: 1052: Disabling sleep skipping. 2026-04-28 00:05:57,057 [root] DEBUG: 1052: Dropped file limit defaulting to 100. 2026-04-28 00:05:57,057 [root] DEBUG: 1052: Services hook set enabled 2026-04-28 00:05:57,057 [root] DEBUG: 1052: YaraInit: Compiled rules loaded from existing file C:\_g_ewr1x\data\yara\capemon.yac 2026-04-28 00:05:57,104 [root] DEBUG: 1052: RtlInsertInvertedFunctionTable 0x00007FFEFE86090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEFE9BD500 2026-04-28 00:05:57,104 [root] DEBUG: 1052: Monitor initialised: 64-bit capemon loaded in process 1052 at 0x00007FFEABBA0000, thread 852, image base 0x00007FF7AB6E0000, stack from 0x0000005367074000-0x0000005367080000 2026-04-28 00:05:57,104 [root] DEBUG: 1052: Commandline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule 2026-04-28 00:05:57,182 [root] DEBUG: 1052: Hooked 69 out of 69 functions 2026-04-28 00:05:57,228 [root] INFO: Loaded monitor into process with pid 1052 2026-04-28 00:05:57,228 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread. 2026-04-28 00:05:57,228 [root] DEBUG: Successfully injected DLL C:\_g_ewr1x\dll\wIazzoy.dll. 2026-04-28 00:05:57,244 [lib.api.process] INFO: Injected into 64-bit <Process 1052 svchost.exe> 2026-04-28 00:05:59,260 [root] DEBUG: 3884: DLL loaded at 0x77400000: C:\Windows\System32\clbcatq (0x7e000 bytes). 2026-04-28 00:05:59,275 [root] DEBUG: 3884: DLL loaded at 0x75180000: C:\Windows\System32\taskschd (0x7d000 bytes). 2026-04-28 00:05:59,291 [root] DEBUG: 3884: DEBUG:Initialized 9 com hooks 2026-04-28 00:05:59,603 [root] DEBUG: 3884: NtTerminateProcess hook: Attempting to dump process 3884 2026-04-28 00:05:59,635 [root] DEBUG: 3884: DoProcessDump: Skipping process dump as code is identical on disk. 2026-04-28 00:05:59,697 [root] INFO: Process with pid 3884 has terminated 2026-04-28 00:05:59,791 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x077F0000. 2026-04-28 00:05:59,822 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\tmp16B1.tmp to files\4931757751d7c9d49e74bf11f86be68591998ab3608b8a0d8cca6b531f1451a6; Size is 1304; Max size: 100000000 2026-04-28 00:06:00,088 [root] INFO: Added new file to list with pid 6648 and path C:\Users\cape\AppData\Roaming\F3037635-6191-4C44-BD96-905F1B4FEAFD\task.dat 2026-04-28 00:06:00,385 [root] INFO: Added new file to list with pid 6648 and path C:\Users\cape\AppData\Local\Temp\tmp2CBA.tmp 2026-04-28 00:06:00,400 [root] DEBUG: 6648: CreateProcessHandler: Injection info set for new process 3200: C:\Windows\SYSTEM32\schtasks.exe, ImageBase: 0x009E0000 2026-04-28 00:06:00,432 [root] INFO: Announced 32-bit process name: schtasks.exe pid: 3200 2026-04-28 00:06:00,486 [lib.api.process] INFO: Monitor config for <Process 3200 schtasks.exe>: C:\_g_ewr1x\dll\3200.ini 2026-04-28 00:06:00,574 [lib.api.process] INFO: 32-bit DLL to inject is C:\_g_ewr1x\dll\zbBXAj.dll, loader C:\_g_ewr1x\bin\oNunBip.exe 2026-04-28 00:06:00,667 [root] DEBUG: Loader: Injecting process 3200 (thread 7412) with C:\_g_ewr1x\dll\zbBXAj.dll. 2026-04-28 00:06:00,701 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT. 2026-04-28 00:06:00,802 [root] DEBUG: Successfully injected DLL C:\_g_ewr1x\dll\zbBXAj.dll. 2026-04-28 00:06:00,870 [lib.api.process] INFO: Injected into 32-bit <Process 3200 schtasks.exe> 2026-04-28 00:06:00,952 [root] DEBUG: 6648: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping 2026-04-28 00:06:01,101 [root] DEBUG: 3200: Python path set to 'C:\Python310'. 2026-04-28 00:06:01,121 [root] DEBUG: 3200: Dropped file limit defaulting to 100. 2026-04-28 00:06:01,155 [root] DEBUG: 3200: Disabling sleep skipping. 2026-04-28 00:06:01,180 [root] DEBUG: 3200: YaraInit: Compiled rules loaded from existing file C:\_g_ewr1x\data\yara\capemon.yac 2026-04-28 00:06:01,264 [root] DEBUG: 3200: YaraScan: Scanning 0x009E0000, size 0x3198c 2026-04-28 00:06:01,299 [root] DEBUG: 3200: Monitor initialised: 32-bit capemon loaded in process 3200 at 0x73ea0000, thread 7412, image base 0x9e0000, stack from 0x2f35000-0x2f40000 2026-04-28 00:06:01,320 [root] DEBUG: 3200: Commandline: "schtasks.exe" /create /f /tn "WAN Manager Task" /xml "C:\Users\cape\AppData\Local\Temp\tmp2CBA.tmp" 2026-04-28 00:06:01,550 [root] DEBUG: 3200: hook_api: LdrpCallInitRoutine export address 0x77EB2A40 obtained via GetFunctionAddress 2026-04-28 00:06:01,649 [root] WARNING: b'Unable to place hook on GetCommandLineA' 2026-04-28 00:06:01,669 [root] DEBUG: 3200: set_hooks: Unable to hook GetCommandLineA 2026-04-28 00:06:01,683 [root] WARNING: b'Unable to place hook on GetCommandLineW' 2026-04-28 00:06:01,694 [root] DEBUG: 3200: set_hooks: Unable to hook GetCommandLineW 2026-04-28 00:06:01,728 [root] DEBUG: 3200: Hooked 630 out of 632 functions 2026-04-28 00:06:01,751 [root] DEBUG: 3200: Syscall hook installed, syscall logging level 1 2026-04-28 00:06:01,772 [root] DEBUG: 3200: RestoreHeaders: Restored original import table. 2026-04-28 00:06:01,775 [root] INFO: Loaded monitor into process with pid 3200 2026-04-28 00:06:01,796 [root] DEBUG: 3200: caller_dispatch: Added region at 0x009E0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x00A0022A, thread 7412). 2026-04-28 00:06:01,843 [root] DEBUG: 3200: YaraScan: Scanning 0x009E0000, size 0x3198c 2026-04-28 00:06:01,855 [root] DEBUG: 3200: ProcessImageBase: Main module image at 0x009E0000 unmodified (entropy change 0.000000e+00) 2026-04-28 00:06:01,936 [root] DEBUG: 3200: InstrumentationCallback: Added region at 0x772833EC (base 0x77150000) to tracked regions list (thread 7412). 2026-04-28 00:06:01,938 [root] DEBUG: 3200: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping 2026-04-28 00:06:01,961 [root] DEBUG: 3200: set_hooks_by_export_directory: Hooked 0 out of 632 functions 2026-04-28 00:06:01,970 [root] DEBUG: 3200: DLL loaded at 0x75250000: C:\Windows\SYSTEM32\kernel.appcore (0xf000 bytes). 2026-04-28 00:06:01,996 [root] DEBUG: 3200: DLL loaded at 0x76D80000: C:\Windows\System32\bcryptPrimitives (0x5f000 bytes). 2026-04-28 00:06:02,042 [root] DEBUG: 3200: DLL loaded at 0x77400000: C:\Windows\System32\clbcatq (0x7e000 bytes). 2026-04-28 00:06:02,062 [root] DEBUG: 3200: DLL loaded at 0x75180000: C:\Windows\System32\taskschd (0x7d000 bytes). 2026-04-28 00:06:02,065 [root] DEBUG: 3200: DEBUG:Initialized 9 com hooks 2026-04-28 00:06:02,192 [root] DEBUG: 3200: NtTerminateProcess hook: Attempting to dump process 3200 2026-04-28 00:06:02,206 [root] DEBUG: 3200: DoProcessDump: Skipping process dump as code is identical on disk. 2026-04-28 00:06:02,262 [root] INFO: Process with pid 3200 has terminated 2026-04-28 00:06:02,311 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Local\Temp\tmp2CBA.tmp to files\067d3f5167cab2ea4e76f59386df4eaf49c6008f6451e1971274a938ad7bcf44; Size is 1308; Max size: 100000000 2026-04-28 00:06:02,468 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x07800000. 2026-04-28 00:06:02,562 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x051E0000. 2026-04-28 00:06:02,699 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x07800000. 2026-04-28 00:06:02,744 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x051E0000. 2026-04-28 00:06:03,146 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x07800000. 2026-04-28 00:06:03,250 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x051E0000. 2026-04-28 00:06:03,283 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x07800000. 2026-04-28 00:06:03,319 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x07800000. 2026-04-28 00:06:03,341 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x07800000. 2026-04-28 00:06:03,368 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x02920000. 2026-04-28 00:06:03,463 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x07B00000. 2026-04-28 00:06:03,474 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x07B00000. 2026-04-28 00:06:03,526 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x07B00000. 2026-04-28 00:06:03,581 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x051E0000. 2026-04-28 00:06:03,744 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x051E0000. 2026-04-28 00:06:03,984 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x07800000. 2026-04-28 00:06:04,147 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x07800000. 2026-04-28 00:06:04,182 [root] DEBUG: 6648: DLL loaded at 0x76A70000: C:\Windows\System32\psapi (0x6000 bytes). 2026-04-28 00:06:04,211 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x051E0000. 2026-04-28 00:06:04,414 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x051E0000. 2026-04-28 00:06:04,640 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x051E0000. 2026-04-28 00:06:04,780 [root] DEBUG: 6648: DLL loaded at 0x747C0000: C:\Windows\system32\mswsock (0x52000 bytes). 2026-04-28 00:06:04,952 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x07800000. 2026-04-28 00:06:05,169 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x07800000. 2026-04-28 00:06:05,191 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x07800000. 2026-04-28 00:06:05,206 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x07800000. 2026-04-28 00:06:05,229 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x02920000. 2026-04-28 00:06:05,323 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x07800000. 2026-04-28 00:06:05,351 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x07800000. 2026-04-28 00:06:05,424 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x051E0000. 2026-04-28 00:06:05,460 [root] DEBUG: 6648: AllocationHandler: Adding allocation to tracked region list: 0x08640000, size: 0x1000. 2026-04-28 00:06:05,484 [root] DEBUG: 6648: AddTrackedRegion: GetEntropy failed. 2026-04-28 00:06:05,530 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x08640000. 2026-04-28 00:06:05,876 [root] DEBUG: 6648: DLL loaded at 0x70900000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\bae24e9bcbc01bb2a0ed4fa751347041\System.Xml.ni (0x53c000 bytes). 2026-04-28 00:06:05,986 [root] DEBUG: 6648: AllocationHandler: Adding allocation to tracked region list: 0x08630000, size: 0x1000. 2026-04-28 00:06:06,000 [root] DEBUG: 6648: AddTrackedRegion: GetEntropy failed. 2026-04-28 00:06:06,107 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x08640000. 2026-04-28 00:06:06,127 [root] DEBUG: 6648: DumpPEsInRange: Scanning range 0x08640000 - 0x08642381. 2026-04-28 00:06:06,129 [root] DEBUG: 6648: ScanForDisguisedPE: No PE image located in range 0x08640000-0x08642381. 2026-04-28 00:06:06,259 [lib.common.results] INFO: Uploading file C:\coVEjD\CAPE\6648_4115020662127142026 to CAPE\b639220ba55e061b5ed03cb609435b06f2ca7eb4ded611f62778f43d345d4b25; Size is 9089; Max size: 100000000 2026-04-28 00:06:06,323 [root] DEBUG: 6648: DumpMemory: Payload successfully created: C:\coVEjD\CAPE\6648_4115020662127142026 (size 9089 bytes) 2026-04-28 00:06:06,339 [root] DEBUG: 6648: DumpRegion: Dumped entire allocation from 0x08640000, size 12288 bytes. 2026-04-28 00:06:06,375 [root] DEBUG: 6648: ProcessTrackedRegion: Dumped region at 0x08640000. 2026-04-28 00:06:06,442 [root] DEBUG: 6648: YaraScan: Scanning 0x08640000, size 0x2381 2026-04-28 00:06:06,712 [root] DEBUG: 6648: AllocationHandler: Previously reserved region at 0x02910000, committing at: 0x02911000. 2026-04-28 00:06:06,901 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x08640000. 2026-04-28 00:06:06,926 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x08630000. 2026-04-28 00:06:07,014 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x08640000. 2026-04-28 00:06:07,150 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x08640000. 2026-04-28 00:06:07,156 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x08640000. 2026-04-28 00:06:07,188 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x08640000. 2026-04-28 00:06:07,235 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x08640000. 2026-04-28 00:06:07,273 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x08630000. 2026-04-28 00:06:07,335 [root] DEBUG: 6648: AllocationHandler: Adding allocation to tracked region list: 0x08660000, size: 0x1000. 2026-04-28 00:06:07,351 [root] DEBUG: 6648: AddTrackedRegion: GetEntropy failed. 2026-04-28 00:06:07,357 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x08630000. 2026-04-28 00:06:07,357 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x08640000. 2026-04-28 00:06:07,536 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x08640000. 2026-04-28 00:06:07,558 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x08630000. 2026-04-28 00:06:07,621 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x08640000. 2026-04-28 00:06:07,723 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x077F0000. 2026-04-28 00:06:07,838 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x08640000. 2026-04-28 00:06:07,942 [root] DEBUG: 6648: DLL loaded at 0x71070000: C:\Windows\SYSTEM32\dnsapi (0x90000 bytes). 2026-04-28 00:06:07,954 [root] DEBUG: 6648: DLL loaded at 0x74BB0000: C:\Windows\SYSTEM32\IPHLPAPI (0x32000 bytes). 2026-04-28 00:06:07,974 [root] DEBUG: 6648: DLL loaded at 0x77E20000: C:\Windows\System32\NSI (0x7000 bytes). 2026-04-28 00:06:08,159 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x08640000. 2026-04-28 00:06:08,175 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x08630000. 2026-04-28 00:06:08,321 [root] DEBUG: 6648: DumpRegion: Dump at 0x02920000 skipped due to dump limit 10 2026-04-28 00:06:08,346 [root] DEBUG: 6648: ProcessTrackedRegion: Failed to dump region at 0x02920000. 2026-04-28 00:06:08,357 [root] DEBUG: 6648: YaraScan: Scanning 0x02920000, size 0xad10 2026-04-28 00:06:08,926 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x08640000. 2026-04-28 00:06:08,958 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x08640000. 2026-04-28 00:06:08,991 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x077F0000. 2026-04-28 00:06:09,075 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x07B00000. 2026-04-28 00:06:13,225 [root] DEBUG: 6648: AllocationHandler: Allocation already in tracked region list: 0x02930000. 2026-04-28 00:06:18,257 [root] INFO: Process with pid 3556 has terminated 2026-04-28 00:06:34,522 [root] INFO: Process with pid 6016 has terminated 2026-04-28 00:07:14,179 [root] INFO: Analysis timeout hit, terminating analysis 2026-04-28 00:07:14,194 [lib.api.process] INFO: Terminate event set for <Process 6648 sex1.exe> 2026-04-28 00:07:14,257 [root] DEBUG: 6648: Terminate Event: Attempting to dump process 6648 2026-04-28 00:07:14,491 [root] DEBUG: 6648: VerifyCodeSection: Executable code does not match, 0x1c796 of 0x1c797 matching 2026-04-28 00:07:14,741 [root] DEBUG: 6648: DoProcessDump: Code modification detected, dumping Imagebase at 0x00610000. 2026-04-28 00:07:14,897 [root] DEBUG: 6648: DumpImageInCurrentProcess: Attempting to dump virtual PE image. 2026-04-28 00:07:15,041 [root] DEBUG: 6648: DumpProcess: Instantiating PeParser with address: 0x00610000. 2026-04-28 00:07:15,147 [root] DEBUG: 6648: DumpProcess: Module entry point VA is 0x0062E792. 2026-04-28 00:07:15,179 [root] DEBUG: 6648: PeParser: readPeSectionsFromProcess: readSectionFromProcess failed address 0x00612000, section 1 2026-04-28 00:07:15,194 [root] DEBUG: 6648: PeParser: readPeSectionsFromProcess: readSectionFromProcess failed address 0x00630000, section 2 2026-04-28 00:07:15,226 [root] DEBUG: 6648: reBasePEImage: Exception rebasing image from 0x00610000 to 0x00400000. 2026-04-28 00:07:15,241 [root] DEBUG: 6648: readPeSectionsFromProcess: Failed to relocate image back to header image base 0x00400000. 2026-04-28 00:07:15,350 [lib.common.results] INFO: Uploading file C:\coVEjD\CAPE\6648_111521572127142026 to procdump\e4dd7d882e7afe04c9b7bddfc0a6251193152d26b730d2625db3646f88c717b3; Size is 91136; Max size: 100000000 2026-04-28 00:07:15,366 [root] DEBUG: 6648: DumpProcess: Module image dump success - dump size 0x16400. 2026-04-28 00:07:15,397 [root] DEBUG: 6648: DumpInterestingRegions: Dumping .NET image at 0x08110000. 2026-04-28 00:07:15,413 [root] DEBUG: 6648: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image (process 6648) 2026-04-28 00:07:15,429 [root] DEBUG: 6648: DumpPE: Instantiating PeParser with address: 0x08110000. 2026-04-28 00:07:15,477 [lib.common.results] INFO: Uploading file C:\coVEjD\CAPE\6648_81993481572127142026 to CAPE\61e9d5c0727665e9ef3f328141397be47c65ed11ab621c644b5bbf1d67138403; Size is 19968; Max size: 100000000 2026-04-28 00:07:15,522 [root] DEBUG: 6648: DumpPE: PE file at 0x08110000 dumped successfully - dump size 0x4e00. 2026-04-28 00:07:15,539 [root] DEBUG: 6648: DumpInterestingRegions: Dumping .NET image at 0x083B0000. 2026-04-28 00:07:15,710 [root] DEBUG: 6648: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image (process 6648) 2026-04-28 00:07:15,741 [root] DEBUG: 6648: DumpPE: Instantiating PeParser with address: 0x083B0000. 2026-04-28 00:07:15,788 [lib.common.results] INFO: Uploading file C:\coVEjD\CAPE\6648_46934941572127142026 to CAPE\01e3b18bd63981decb384f558f0321346c3334bb6e6f97c31c6c95c4ab2fe354; Size is 100352; Max size: 100000000 2026-04-28 00:07:15,804 [root] DEBUG: 6648: DumpPE: PE file at 0x083B0000 dumped successfully - dump size 0x18800. 2026-04-28 00:07:15,835 [root] DEBUG: 6648: DumpInterestingRegions: Dumping .NET image at 0x08510000. 2026-04-28 00:07:15,882 [root] DEBUG: 6648: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image (process 6648) 2026-04-28 00:07:15,882 [root] DEBUG: 6648: DumpPE: Instantiating PeParser with address: 0x08510000. 2026-04-28 00:07:15,945 [lib.common.results] INFO: Uploading file C:\coVEjD\CAPE\6648_241945001572127142026 to CAPE\f9b8c3f31375e9a1ec105f930f751869a804110d29d6b38e7298622eb74b2bec; Size is 12288; Max size: 100000000 2026-04-28 00:07:15,976 [root] DEBUG: 6648: DumpPE: PE file at 0x08510000 dumped successfully - dump size 0x3000. 2026-04-28 00:07:16,007 [root] DEBUG: 6648: DumpPEsInRange: Scanning range 0x08660000 - 0x086608CC. 2026-04-28 00:07:16,024 [root] DEBUG: 6648: ScanForDisguisedPE: No PE image located in range 0x08660000-0x086608CC. 2026-04-28 00:07:16,054 [lib.common.results] INFO: Uploading file C:\coVEjD\CAPE\6648_7284221672127142026 to CAPE\dc4a61046d5f6b52019eda5764ab099414471fc9e9fb50c828092a8db276c84d; Size is 2252; Max size: 100000000 2026-04-28 00:07:16,088 [root] DEBUG: 6648: DumpMemory: Payload successfully created: C:\coVEjD\CAPE\6648_7284221672127142026 (size 2252 bytes) 2026-04-28 00:07:16,101 [root] DEBUG: 6648: DumpRegion: Dumped entire allocation from 0x08660000, size 4096 bytes. 2026-04-28 00:07:16,132 [root] DEBUG: 6648: ProcessTrackedRegion: Dumped region at 0x08660000. 2026-04-28 00:07:16,132 [root] DEBUG: 6648: YaraScan: Scanning 0x08660000, size 0x8cc 2026-04-28 00:07:16,147 [lib.api.process] INFO: Termination confirmed for <Process 6648 sex1.exe> 2026-04-28 00:07:16,147 [root] INFO: Terminate event set for process 6648 2026-04-28 00:07:16,147 [root] DEBUG: 6648: Terminate Event: monitor shutdown complete for process 6648 2026-04-28 00:07:16,163 [lib.api.process] INFO: Terminate event set for <Process 1052 svchost.exe> 2026-04-28 00:07:16,179 [root] DEBUG: 1052: Terminate Event: Attempting to dump process 1052 2026-04-28 00:07:16,194 [root] DEBUG: 1052: DoProcessDump: Skipping process dump as code is identical on disk. 2026-04-28 00:07:16,429 [lib.api.process] INFO: Termination confirmed for <Process 1052 svchost.exe> 2026-04-28 00:07:16,429 [root] DEBUG: 1052: Terminate Event: monitor shutdown complete for process 1052 2026-04-28 00:07:16,444 [root] INFO: Terminate event set for process 1052 2026-04-28 00:07:16,475 [root] INFO: Created shutdown mutex 2026-04-28 00:07:17,554 [root] INFO: Shutting down package 2026-04-28 00:07:17,569 [root] INFO: Stopping auxiliary modules 2026-04-28 00:07:17,569 [root] INFO: Stopping auxiliary module: Browser 2026-04-28 00:07:17,585 [root] INFO: Stopping auxiliary module: Human 2026-04-28 00:07:19,397 [root] INFO: Stopping auxiliary module: Screenshots 2026-04-28 00:07:20,350 [root] INFO: Finishing auxiliary modules 2026-04-28 00:07:20,366 [root] INFO: Shutting down pipe server and dumping dropped files 2026-04-28 00:07:20,366 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Roaming\F3037635-6191-4C44-BD96-905F1B4FEAFD\run.dat to files\36bafa5002051a4b9b6881e5a98a99819e4d0b662428a35760be4ff269b74707; Size is 8; Max size: 100000000 2026-04-28 00:07:20,413 [lib.common.results] INFO: Uploading file C:\Program Files (x86)\WAN Manager\wanmgr.exe to files\2c14151d8f546aed480a7eda9be556bd37831020a3ab6d40eb993c260c9ee26b; Size is 207872; Max size: 100000000 2026-04-28 00:07:20,444 [lib.common.results] INFO: Uploading file C:\Users\cape\AppData\Roaming\F3037635-6191-4C44-BD96-905F1B4FEAFD\task.dat to files\18dfaf9bd0867e40bf38b6f31369867a9d3ed42ac0a7a313753ad173556a4225; Size is 41; Max size: 100000000 2026-04-28 00:07:20,538 [root] WARNING: Folder at path "C:\coVEjD\debugger" does not exist, skipping 2026-04-28 00:07:20,632 [root] INFO: Uploading files at path "C:\coVEjD\tlsdump" 2026-04-28 00:07:20,772 [lib.common.results] INFO: Uploading file C:\coVEjD\tlsdump\tlsdump.log to tlsdump\tlsdump.log; Size is 14522; Max size: 100000000 2026-04-28 00:07:20,991 [root] INFO: Analysis completed
Process Log
Pre-Script Log
During-Script Log
Machine Information
| Name | Label | Manager | Started On | Shutdown On |
|---|---|---|---|---|
| win10x64 | win10x64 | KVM | 2026-04-28 00:03:23 | 2026-04-28 00:07:28 |
Malware Configuration
| Type | Value |
|---|---|
| BuildTime | 2026-04-27 13:44:13.898730 |
| Version | 1.2.2.0 |
| Mutex | b99f832a-30b2-4929-80df-5af09cffdbc2 |
| DefaultGroup | nnzn.sa.com |
| PrimaryConnectionHost | nnzn.sa.com |
| BackupConnectionHost | nnzn.sa.com |
| ConnectionPort | 443 |
| RunOnStartup | True |
| RequestElevation | True |
| BypassUserAccountControl | True |
| ClearZoneIdentifier | True |
| ClearAccessControl | False |
| SetCriticalProcess | False |
| PreventSystemSleep | True |
| ActivateAwayMode | False |
| EnableDebugMode | False |
| RunDelay | 0 |
| ConnectDelay | 4000 |
| RestartDelay | 5000 |
| TimeoutInterval | 5000 |
| KeepAliveTimeout | 30000 |
| MutexTimeout | 5000 |
| LanTimeout | 2500 |
| WanTimeout | 8000 |
| BufferSize | 65535 |
| MaxPacketSize | 10485760 |
| GCThreshold | 10485760 |
| UseCustomDnsServer | True |
| PrimaryDnsServer | 8.8.8.8 |
| BackupDnsServer | 8.8.4.4 |
| cncs |
|
| Extracted From |
2c14151d8f546aed480a7eda9be556bd37831020a3ab6d40eb993c260c9ee26b
|
File Details
| Type | NanoCore Payload: 32-bit executable |
|---|---|
| File Name |
sex1.exe
|
| File Type | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| File Size | 207872 bytes |
| MD5 | ec0381bf2a31d2ce2e4a00f809db6266 |
| SHA1 | cbb5b6fc88aa57b1675a71a7e1d9eede95238315 |
| SHA256 | 2c14151d8f546aed480a7eda9be556bd37831020a3ab6d40eb993c260c9ee26b VT MWDB Bazaar |
| SHA3-384 | ec3dce417ea77de9d5ffe299d314856d9fe313aef6f2d0756bd3c1d5189229fa7ec47b248eca9b4b3e92aa5ea87b0095 |
| CRC32 | EE2F2CEA |
| TLSH | T1D814C01577A94A2FD2DE82B961221143937CC2E399C3F7EE28D864B74F267E50A071D3 |
| Ssdeep | 6144:sLV6Bta6dtJmakIM5PMBrwBJnaMC8xFev7y4QT1ta:sLV6BtpmkKMFIPHPe2Dta |
| Yara |
|
| CAPE Yara |
|
Strings
|"$V1
#=qoTNlk$Wngv$bqPRyj4mJig==
Environment
#=qKraENZVscKMtH4GMIJjzqA==
_Lambda$__2
ReadInt16
NtSetInformationProcess
RebuildHostCache
EndPoint
Random
#=qbwvWShVSL8DgrXXfPQ9kNmpf6pmcj6q57bPfcsBp938=
WriteAllText
AddressFamily
#=qZ8pysPk74rQ5GX0s5CkOJQ==
Int32
#=qYpD2x2QTNARNJcnXxG0OjQ==
#=qeMVJwq86lZc4hsNJNMQJVYiQqG94mfqhBGc9gH9UUgM=
2}}bV
#=qB4sApeDyjGxBivHLwR3FTJejGBlbih3hr3f3TS7BFbY=
System.Text
#=qmcl1D6lgUOLuKGFFyxMamg==
FileCommand
#=qN9Enun6Rlq30xNdBjhzY0A==
:X<y]
#=qJT4I5hOweIk$xYFEeDszbikglXCuquUd$v9AXtyq2ns=
#=q4X5fhkJm5XS4LlpLIyB6bA==
,sNo}
>j|:"
add_Completed
Uninstall
#=qq_SehjaC_F9U66vu1NLqjA==
#=qL6PdpQwMNSdyVKw3FgboNw==
#=qPfVuk6552RtecCgHDnGSkA==
iFl8H
#=qkcVkJskuGA4o7kGuN79i1w==
#=q$6NbEg0Hb4neXdXPgEgHJA==
#=qd8WIZO8f6IRqdUmvxawj1w==
#=qGxD085Z3RQaUY4iGwWH$xgEmRYVWDAN6hxNjaXokfVc=
#=qyM$eq2QFDjIwNzxtrtw3WE5gHFsUOsREqnRunYWzTvs=
ReadAllBytes
FileStream
MemberInfo
get_Width
#=qCJD3QzeNpOG7t7hUNPqgxgwPhMjv4aui2ikN049iz28=
#=qzRcQ_b8FoTlpKT_BObsgBl2bj71wU5HcYdpIIgiTJ5c=
#=q$njopRrPblqe$yrs$rsu5Q==
SpecialFolder
#=q5QHPwKvqpNRA$cKFBj8i9w==
0*KfE[
#=q$YUIMaEFO5IFZXBvo0kclw==
DebuggerDisplayAttribute
<Njgc
#=q$yU7aYEYOl8Nz4sJLGQQ6w==
#=qh42qYul4hj$aa5mluadvLA==
rG~$5
IClientLoggingHost
System.Security.Principal
UnhandledExceptionEventHandler
#=qaWedjkiL7CWj9EfMXrEg6Q==
Socket
#=q6tJHosKuF0IY3gGxjaveNw==
#=q$P4U7B6$qbq6QJ_QX8MfyNoxYRq3foNT$OZzr5yEqDQ=
#=qK$702nkzQ4rQ0lJLQZ2zaw==
#=qAfx0INrfgWoPN$Cz4VEZYVFcKNxFeYaixc4CaQpU$0g=
#=q5C_es0qgtlVCNxzfPQ_idg==
DeflateStream
IClientApp
8.0.0.0
%d/RXj
#=qnonybcfG2jzQ4kHK5lGw3g==
#=qJtsKc7ccoU8jRrRMGJWqhA==
#=qRvcNy1bY28C6xYdCX8MF7w==
#=qFm7s8q151MPpLODhzLizPw==
mscorlib
#=qMMPHzLKw8_cOGV193acukw==
NewGuid
lw&y_
Q@Xr_
get_Buffer
ToLower
5/fKR\
#=qnB6QgyVNIUL$Uq0GD3p5d7LpaFZvHrB3jSqhv3o7qlE=
#=qJZLeQthAfpiCw0QvZb7htA==
#=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
#=qRxyF5FV01AHvUkR3BeX8OA==
feffefefea
TBXJD
g/)p[
Sleep
#=q6jLYuOOmC$a9_UySsUlsFA==
GetString
#=qfkwtPDg_wfxGVFOXd$WnCA==
#=qQR2R27CtTwLSuNC54_JY1g==
_Lambda$__10
!^X:L
#=qFlz$$vhlrnZb7YOji0eF_QZBzkOajT0w3UoQbgnXVIA=
Decimal
Microsoft.VisualBasic.Devices
#=qikBX_CmS$ZzVAuq$nQJBDwmLm5Gee1iPlPuvI188Ejo=
#=q12n1704BGxiT9AoOoTNqog==
Ae6=x
Resize
#=qtxvtUAtG5kwD1CbaXqZpxrHWaxR5CiRO2OiaCLfsbSk=
#=qBpzegr6XzkmtwALf7kKPHV3RZVAWYLbYE79PiG2zXYs=
#=qfsxP7vyadqL93mAkiQXr1tsUC0B$7Gp0ZNAPpjNxIG0=
#=qN9oos_gePS4akhGX5rjcOjS2FNZJlTAkUnO0Ykgu7Rk=
#=qQyvT61RAfdEUvn1jBvcx0Q==
get_AddressList
q6Z>]
e?A?v
EntryExists
#=qoGHQsKlZ7jK$YeTeBpzDNYYM4Z1FIrOpXaDV$VTAdfM=
Process
#=qHamFicykpD9fQKnU2wtqJw==
cV?Z|N'
#=qWaMf_MISHPEu34of2Bm5$ay6Z6PuaGN7w1jlKYjzwdE=
5s4*D
n6X_V
#=qlV3FbiF00r5Vrp5nqoncyxDHZMuHB7yuJa7xS77K3BQ=
#=qvPYkN4Wli543LScsy6rh$bZ0bDIN0tYd5zlNUibOEKfBRc13v6NIDRtsxPOZzKpX
#=qE8a8ikTp6zyXXyhNYzK8Wg==
#=qScWgGHvDwJ0da_7qXoO28aGE1ea7zp5$XjEJLTXkuHQ=
SocketException
ResolveEventHandler
*PuZI
/U-WT}
System
#=qKxYY$jYG8_7mT_7R0n5jfw==
#=q5s6lzZCgRNNe2Z9HZfa94HOHkpUfSnAwZsGo$hzh7hY=
get_ExceptionObject
ReceiveAsync
#=qksh921Ur22JKhSIAXESSag==
#=qwK7$pNtMfqKNZt8gGYd$pw==
#=qEoM$dAPD9j9L1YOZU2B97iwm0vZOJe13LDB3GayWQEo=
#=qZ79zrlLw6T9kJCHt$e306HkmYpQl8J1ugf3bmy8tycE=
#=qKoyC_0Y6bPLCPvDcJr2y5A==
set_Verb
FromBinary
#=qwSPuuWVW8tz$gDazhda2d$myXXX0Ro_wRP7Rmm8JiiT9wA1EeeaPUV2jnUkQOCHa
J.eD$
Rb:1>@
6t|Oj
#=qiIt1yNcUYn9ksB4loCZmUQ==
s~F,r
GetUnderlyingType
-$& ,'
48saj
-p&~C
,@&(\
#=qwdHHpd7UWv1_2lcOeunA18XKUsrG9D8S$xli$tkAMlI=
#=qp7rlpRCprgGh7RCnHteaLw==
#=qU1g6m1CiJ5yzLECox1hBrw==
#=qkrqC_kLD0I$zOgfqD$aGaA==
ToInteger
#=qaCmGqb7phy5lq$DAzhK3vB71XCZSvhKm3BtGKq_xBto=
Wsr!&
CompilerGeneratedAttribute
#=qXfm3QhQkyfcZgbFdAZgHHmadm7n1N0mfKcKBqrdfAk4=
#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=
#=qzB1OZ89gRpxcPckUn_afNY2d0beSpEyl40_4IarIxzM=
pe&fz
RijndaelManaged
#=qgSHqO_KLHRARFg70SGn_Mw==
0D2T)
~(0(UV
#=qDx8yS5wU6EQSawGC841xnw==
SetValue
#=qJe4Aop6J2k_bK0f$hS3ZOQ==
LingerOption
WindowsIdentity
#=q4KMIX0AcXAdYuUiSKvyy9Q==
DeleteValue
#=qbOmsEb0zGpdZukI0D4Idug==
#=q23tIFHA2cbwzlg6YDYhwLkXCJGgIhllZCGmc4pRC8rI=
#=q1uJdtbJoEKhZjOld7SeHjw==
#=q4N2IYJkFi2VWiCVDKVND$8gixU$DXUcX8F2LiLBxLHw=
#=qzjMBSDJWeEdkUWCBxYatrQ==
#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=
#=qb$tFKVReqZMI9M678cKWGdlE1UJqJBfHAfOfQhXuW5c=
v2.0.50727
BlockCopy
#Strings
afeffeefeffe
System.Collections.Generic
#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=
FzAV/k!
#=q2dXdGRU_h62YVIUhgXBQJzEnralpXNvp017RQs19jjo=
Replace
#=q$XurN5kwCvUuDGDncP4myluEGVmoB5AfvTb_Ct0PT5c=
<_bG;ZY
s8=V<
#=qWcYPgOJASLG6mRBDPhOIZERKO3Eig2IiEWCrUa$w_Mw=
set_Item
#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=
c`iD>
0vn50\
#=qTfMnD_jfiITiB95ES2nWdLlDTdGOSDVgXEnjKNGkWcM=
#=qxb6WVOMh6wjcZFY_Q0MJOQ==
EndOfStreamException
ToBinary
#=qUWYBucdXrqr2Ksc_3qKZcA==
#=q97ilq24aAenhk$hG8MzEMQ==
BuildingHostCache
DirectoryInfo
#=q8r1xTCj7grAlhMxU0cmrbA==
value__
#=qFv$qWif57TCUNsu_O3F3gA==
rYs|e
#=qSYke1CBEgOP5WhDQ2wCOhA==
SuppressIldasmAttribute
CommandType
#=qTSoRMaNGYiiBNK9Yfq59T$2z3sNScYh9uxoeWlhnD_A=
get_Hash
UIntPtr
#=qJY6uBmA7bjB3pfI3CAMZ7w==
GetFrame
G4pEt
#=q8Lz$o21atQxw0qUwF07ufqfk8jjJrspNc$L9E2y_kjQA$2GQzuj5BmjDMXRcd0oL
#=qkcPDXy2$GrSLn1ykhNxS$A==
NE7WV
#=qLJcloNvItceT7R54Ssv5HVCoj0j2JUUq_dQXQpFZZjM=
#=qafzQcMCK0eVSctI0IcD2PA==
#=q5W7RemVArrFCeEyFuvU4Hg==
MoveNext
UInt32
#=qV4bSY95FY8CPz8U7EzzkRg==
#=qUaHlQloQ1heHsricyshXiA==
#=qYVgYkiAmhdTmisXUMVHYlJUHzcBdggj3Sn3nLI_MDJ4=
#=qulZN_JfMbEqc2jFbEooALI6mh8tLy9$3NFedHEXAIAw=
u~-U8
=oRe%L6j
Assembly
#=qUbRtqAPcSxRMI51YgNXGZ9omJvV5BvuqBNocgi7xl6Q=
sRvb\
#=qrIbbxniIme2qLTdRw6i0wDoZFMH5BWs03iMeSnjojQU=
System.Reflection
#=qAoRzrFi9HiHjyPL0ixkVXA==
<EU|L
#=q0QKFCbf0u_IpV5ISOWOl$Q==
v"HAzCG
#=qr5qpvOPnLxLp6aGkfAM7wQ==
WriteBlockData
#=qIZP8IX60gSYF82kuZejmg8pOoXfEBczapTTwgrWM$fM=
#=qrjPq4iPb$PLckcObsgRE1Q==
DEcW{
#=qH7CAcg5aycQv61Wo62XDpw==
Z^OGV>.
DebuggerStepThroughAttribute
#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=
#=qJrzYsTPKAwT$ubz_aq99mw==
Cf{vp
Int64
#=qtBt$1AtaHrrce6fc6LOT3axuBNxZ$SQPty78qYGi1os=
#=qfjs2lYYPRWKuXjeHrc8Rtg==
\CZM8
#=qbUu2Y2P9FL2iRkWyb62gww==
GetCustomAttributes
#=qul8YRvQj1pWpo4_UxgOSzOBvtncEE$VPCzTeLK_rIz4EnXxineVkwF$lTxruKPxr
IntPtr
9beO0o
#=q91nKS7P$i0qKCqvUAPW9EQ==
#=qos7yzAcb5jR$ypc0Qk3OWQ==
#=qw9FR63zXVj$omVnwg0u37A==
ReadUInt64
#=q$Rh_ulnlhN$9Zn9n4fKAsvWT9cisaHT_PgvcGANnd6o=
&&*}#
#=qiCTCgJQkyH_Kzq$FT43G4Q==
#=qCeJ_QwVb__fbuEImkTXwSg==
#=qURIxMOG0HImwEP4A6zEiPg==
#=qxQTn_t1ZFKKNm77mQ5vH9cInicm2Cv9jGtv9vmIpksI=
#=qQLqXliLS$ujl108DGV7$zv9jo8WyYr7oxBJvAgzllyk=
0e%.d|
GetExecutingAssembly
#=qqIzVXHiNuUY4ZNiSxkqEGQ==
GetTempFileName
_Lambda$__5
#=qEnv9WsExz6baZJKRUDupw9eEQbgJVjj69NjcsJ7hrBk=
$5ce1dc0b-04ba-4048-aa8d-caa0354c0972
Xy{K-
#=q6pErmyx6x4$YkotXXEXGCt_ysi5JdNm1fpNgnUvZ9LE6EtA8E0TapqXrPnqyBO1x
#=qr6ouJTA2RwDm_3Z$eUP6TCvbpSA$yAFGnut7D4kG2$I=
#=qjM89gxwDLZ9izFxrYPCtcA==
EditorBrowsableAttribute
#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq
Lw;("
get_Offset
#=qyxpfolLUhMvFTDE2h_syvQ==
+C? 0H
~&h9W
#=qAp_zHqT7acjq$QNiBoq2EA==
bBQZ`
#=q0msvLo3fKjQ5ucIFxkdur24Cc0tFDGimgcqgtAeKZq8=
#=q2nHH3haw3R0VWVw4qHOwKw==
ConnectionStateChanged
#=qRxKU0X3UfYwXoOTtDpEVW6z4XRgE1s4V5zOQsfCCSqM=
RegistryKey
F% 6[Me
#=qwogjI4gN1imp1VeWLroXTk41PgYeLQ34zunh6NYu_3g=
M`o}+
MyTemplate
#=qm5VvJvLZD$UcnjvypC5XcA==
1i^I2p
#=qtWaDSiZ3KDHpQtSfxDZV0w==
#=qbpvfREN3OwaXBj6J3WBAim$AQyJ99fz1ef01qn6kVrs=
D>)TY
#=qTEC8gcgkt672qW159Oe_Iw==
StartsWith
Rectangle
#=qwNkTTorgPauZQTT6jiqLIA==
System.IO
$>lPy
get_ExecutablePath
9g}MS
#=q$c3lXLbhl3Qzil6Z9hYEopCTRdsG8WE_1ZuhF2KQELQ=
#=qm_Podb$DJ6CfxMwMnaj6heXfc210URbSx7p$rJGFPmA=
GetFiles
#=qay$wDBdxvh$MBWrC9YMhC_f55kIvkv7I_BjPu_7Ajsw=
#=q8NzetUGGc1cM4ZGyRGGlug$fKAOwmcPqe4nFzDGKLk0=
ReadInt32
Remove
#=qTAs57ZkYafcLC2FZLCGAiQ==
get_DeclaringType
ExceptionData
Format
#=qvX$J24rI0eJ0gWfA6CEdzVJN7bQN_YTuS98N0yyMYPo=
9RNWA
#=qLKYxZZVHP8wT4ocBxnjPXg==
#=qTLmFjOt1Rq5$fqQEFVZ2zg==
#=q3S7bY847GmpPliI1m7tZaAVifJNdeHclZJyeY2JTxN8=
ArgumentException
#=qWQUgmvsTzj15wSjWQHZnng==
&2+0\
HdXLH.
AssemblyCompanyAttribute
#=qfvzoVBS4j9KdxyngOlL_NauqVYLAaOZVw9dutKQSAp4=
_Lambda$__4
/!|Sq
#=qO7YVPb8fjfyGw81pHcJjnw==
GetPublicKeyToken
#=q1A7nXYgjUuxh_0aV4fZMB87On7HuSdbeS8x$mfXfW2c=
#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=
CreateEncryptor
#=q5OunwTi_tYTGCTkAtZ8rARxlhmXbFcAf_e1GiEt$FEA=
#=qhWn12I_bGxHfrIrnto3QAA==
IClientAppHost
#=qWgd5i$rED0nEbfExDCteKBL09U6dKm2BW1AXqZVXCWk=
#=qjlBNihUiUO2oBJbOEbdB4u8xmfTL9EQ3AEFa$nrdzJY=
#=qoTGj8$mBoje$u1RSJ6obYA==
t:0e)W
ReadPacket
-#&~7
4+Ot=]
CU fL
Int16
WaitCallback
#=qlIUFl2SBYSRov3A1WGimWQ==
#=qVEEdpD96A48uRzPJT7G_w60gIZo4tH1_e21GoRWPFm8=
#=qChPTKc$8xcHrcle7anHYNe0wH_TweGkex2nGe9n8WDs=
#=q8uMGC19QD5WGzpkzUOu0SQ==
,@W<z]F
Disconnect
PluginCommand
AssemblyTitleAttribute
#=qXO4A8$YrN_OoPhFOn$Hhtg==
Dictionary`2
#=qLSPQZXlXixhGX8Gd10$ph8j0p3_XdW2xwrfqz3nO7MY=
#=qDJlWEiuGwuVXAz8yc8z7OaMssRYN4hP9AHespNOmdYHus6_1XkNOC0rqgHeRZksg
#=qhwyNa_lhtuoyuJK5j3BcF4xu5fY5XhFlgzkM1Cgy6IA=
B.dIs
Dispose
B.rsrc
TimerCallback
#=qzRf5_jFnPo03SqY9Fq$uTg==
Queue`1
Shutdown
#=qhiSO75CpxncaWptyc0vAMQ==
#=qrPQtMswclvOlK1AxL1S4K8M$owLGUpQfjJA8CWW$fj1az7m8LFibY8IeMxHKi4wi
ProcessWindowStyle
&&*}b
C{A/{
#=qFZ8xm69Cd0C55Ip2ORf7Ng==
1;sKPkj
-b&(?
#=quFACL_$e$cUEIexpzPXS7w==
#=qedcCJsW_6aMZb5lO3tR01A==
#=qraB64nHTnRXCE4d7ffs5aGExarxpEh0COAPaEFI5iV8=
get_CurrentDirectory
#=q5XjI6hZlPIrXq2h2btB_pVJgDh_o3RXkWrFCxLCG1E0=
#=q_$JrmDHg2uq9s8cQVRi8Jw==
ReadBytes
#=qJqkjp9g96yoxpNS2E$BC00FKleto7dZfN9N5mtLDF4g=
#=qszlIp3ITaFi0VCgRIaErNg==
GetBinaryForm
Yaa*&+
get_Y
#=q7rZvZ5LmWDFo52hBeGb87g==
#=q3LvM$oW1poDdLKDT_N_s4w==
ToCharArray
RegCloseKey
#=quOBOxPeAl_kjKKx$REI6dA==
#=q_NLac$XJ5lIxZMpXsr_nBw==
#=qOplsUBML8x2xteEBilOycw==
#=q8Bp27fhtrXMmonNxf$9qLbuQQehIBQTdOPDQw07FUyI=
#=qFMsFc_zvkhu_B2YTPJt9Yux7Vq8aZNOr3FA$mEdAzCc=
#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct
get_InnerException
#=qgCcrNFC0iLB8hKTy5iNnsw==
L3&UNmY^!^
/;ol]
Marshal
#=q3cm0QwDyNYr2y$xvkCk9bGbohRfuMuxkahGwLy466GA=
#=qyzEuYsQ6u9hwZeR0HeWqvA==
#=qf3c4WtE$$thN5QyBMvo3u0lth2VF5hmfUsIv1r8yRkg=
#=qcDgE7pmQv6niirKxFRMj7Q==
SetKernelObjectSecurity
jsND)F
WindowsBuiltInRole
#=q4d$NdpGCMcL3TaMlT9EW69FacIvNnqDPMFNisgGhmsY=
GetKernelObjectSecurity
|*mnk2B
ValidateBlock
C{]_o
#=qRbDxNN_CBpjdn11hjtWoZg==
#=qe9p_PgOCiouYWahOSDKth00dr9CdsTb1R3DYgCeLUBw=
#=qsYpthruwyrknxFdWaNp9Vw==
CreateDecryptor
^s,}W
Conversions
ReadDouble
#=qdzx0nDkNduYsJ$MOZBFb6jelzyvbyiG7So1vqpZnVLU=
%XfzR(Z
-'&~C
#=qCN8q7dxuBuds3rgIjZ1oLA==
#=qBcRYABJptno3$fpXoMXAvg==
#=qArVl3RpI3eEiVf0qXoqrWw==
#=qk77uxMCXAcR_2KMKgZiSng==
xUB.i
#=qd7oUKLFPI9nt8Ln7RU53xA==
CheckForSyncLockOnValueType
#=qCKX0qzAtjLAL9KBPrJWkOA==
#=qXzNbY0aXEU2Rr2_Jbe87og==
ThreadExceptionEventArgs
get_InvokeRequired
#=qu1CivWngdicjZHEJYKM3dA==
#=qqLLpPwpASXA1wqOuY2RNlU8CTc57bQGBfHWaLDgrCKM=
AssemblyFileVersionAttribute
System.Threading
set_CreateNoWindow
#=q9rN$wEdl9rzJbAMMIiemCg==
!e~uh
#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK
GetBlockHash
#=qdy_NHDvN7XTcQtWWMYxYKbuJqtXHsYJXM_YUEvVR0bc=
#=qyZOtLxFf9zA2x1ff4_5cOg==
Write
#=qxUvHfLZKZiUmPXUqPV8Vcw==
#=qsAejPkl5V6B3npq6homyUA==
Microsoft.VisualBasic
AppDomain
#=q$bBbU_xpGfMMkAvp45SBRg==
#=qZiHVbt3FXowK6_NIyOxsOw==
#=qsA8D04owIGYHILF6yPa43A==
#=qtT$P2Bo4VHFu60OU4VLf1H20c7M2DlURuyfb_XJDYaM=
#=qstAyOBsDsJqFRKDvXIn01A==
#=qWljP9Wu9miiHAG26c_L7NQ==
\8SYH
#=qGqLDylJy8NmMEbMDJmKtoQ==
#=qvLrEXVjSw17e3P6GFPALhrZXcKcfxuk0NupQhKFf0VM=
#=qFlM8LWSzwV9qMKMd32mVdQ==
QueryDosDevice
AppendLine
#=qkWUjAoA_6r2E7qo6NAGuIBq3iKikqBJbioTC25CcZQY=
#=q2wxuRKC7TyzyevfrmeuJ$w==
#=qZFVU$VkNPSWYii2AVQe6c6mwAUd10Tgqkl1$K5gZz9Y=
.]7=2_la$U<
#=q63A3zH9hQ$3c53x2wqU0Qg==
#=qEqBb19ZxrWpMC8pwAc1v$Q==
Hashtable
#=qFYv4oSsEFno3Ujev9_o4Hg==
#=q6Xi08r0$lOOnXtoBHhfMuQ==
#=qfOXLv$ej4ffVoa9QN8Vke8O9DCKhSHEsi_sqFk8Qf0o=
get_Day
AceFlags
MessageBox
BS<R>
ToUpper
49#m`.
#=qVXB_y3eN_sp1$Md9UoJeYQ==
v,=E.j
System.Drawing
#=q6uR3lWd6_aD2reKUDlx$OA==
#=qEIPcndOLrV2GJmno7zKtBA==
Details
x!3GE-
{G!0'
ExceptionHash
#=q8T1neNU8Flp1WaNsBKnRHQ==
#=qfPf03rjJVGFkLtYSr7zDRw==
#=qUUt$Zm9DEy7746wMpw0nOgKcClljRPRKWyhQ21GyaOQ=
#=q2X26s_rFZ25AY$hOcf_6zA==
StringComparison
#=q9heLrZy3cpWSk7do8VVthg==
#=q8McCIarwH$XScVz0xkTmJw==
Combine
#=qBhG6LJNfmJspOR5A5YrkZB3a_dWOpJYSj4Mo9vfL8qo=
Create__Instance__
-'&oN
#=qDOdV5duF980CDFSFl8oQpw==
ReadString
Client
Object
#=qe5qrWacQXGv9g0P5D_mRuQ==
#=qluYNp43cwlAh9yLdLZolDw==
#=q6Aboe3ONIkez7GgqcdWPi0_vrT_i53_89HUeagGM6MThXvFkvl8hpSeHO1UJawKN
Tk~rs
get_Message
fefefeffea
ha|H=+'
#=qe0mY$R_rBsPIZZv3hPLS4g==
.4Ccq
PD/wj
-O&~r
}qh3`
+^Tw.
#=qKYm_FHWoJ42y$VrakLgWfw==
FindResourceEx
Concat
SocketError
get_Unicode
#=q2gthvB62n07fYVTx5fwIqxBAo1t_hs$il9Ac$4FY_Gw=
GetInterfaces
ah@GI
#=qYMGXxffne_DlG2tyCliUw119RPUt2rJt6SWle_TPkBA=
#=qCgskv3QU4cEy8M7hqvNNBbFyow$DvbmSQrN8A5JJJWs=
#=qgB3pFGrOVxm7f$sXZD67nQ==
#=qQRAhbbFlVBfqrgso8zehPg==
#=q3_xjz98EYRXgLslROl8imQ==
#=qmuy0ee0GJl13ksvWRbOSbofOCTPf0dv0HYdjJq9H_Es=
=DLV(
OperatingSystem
#=qnY1InNbQmfgiJXdGVH6rvQ==
#=qYI$MiBdzcplbf7GqrUf7Ig==
&DL9/M
fefefeffe(
#=qyEH54IW$f9fUJb7FOR8r3vj6e$onLGrpm2VGycjbl9TZJEqkwtA4y4bL9ExOWpiA
#=qMWVV4JCreo65oWvwYJqZWobqlgJkr$K2AUIqF$weF5s=
MethodBase
#=qw39MYiiaN1XJbqsDq$LgQw==
f!~>~j
-\&~]
#=qg9gWuHgvaa6cHg9wj9NSQQ==
#=qr9m9EjuYAP$2E3p2xadfFhcTH6toAhrm0dlfOTldiWRsdXd8UmnkRkYrV_8$1gaA
#Blob
4{'Wg
#=qzTUdhpx_l8oNrXik8Q6a51kZkIp$waiEMbjMOU1bFOc=
#=qABSlSWKh$8sT$UF4sG_vQMmKqh5lDRXHlL1yCp0W8x0=
#=qw2XWrJCQCyTO0Iwdbz8TWw==
AddRange
#=qQ3JMSE9km3mGmL6lmUfRHw==
#=qEQtWieYw8BPdEE4hbsjTLrq$BwGjJOBoaDYJmV9xVgE=
\M/e(
#=qtIl3MhjXHsnCHvTVFi9hFg==
#=qfozjXlIKX6LyHHXB6wCG9g==
#=qjIje6jGWLd2EOkfZXKqBbg==
AddHostEntry
&&*}X
#=qKdZKgyAqL_iP0GUSJkXePw==
ffeefeffeefhah
LoadResource
get_IsDisposed
#=qeKiN0Pwa0MwkK0uB$Ook97TrMQC$LNj1jgF6xTuSA2g=
!d{t,bk
add_UnhandledException
#=q637XAKKKpMW09u9r97v4lg==
#=qwGMLoIBYlotM6E$y2KTAuQ==
=!#0jR
#=qeeDSInMnFASKK3QXGIKUxuxDb8FgGi0XLXRlZ2oJdWM=
PzHP/SB
WellKnownSidType
get_Port
GetMethod
;!5mi
#=qehEpCuPIxZRbHczlt$dAWi4yWi9o1_noSvuo$Wzvtyo=
#=q0REOJwjO1qsE01G_RQE1TQ==
EndInvoke
#=qPNzwB3EyeKwH$TwKjEdAjAC6A3IlGhANCdkUFCgvEiw=
#=qpXfSNxR7J3tqOHyqT6s_Aw==
{!rE[
#=qNz_Hz8DMWPqA8pVcg8d0UVymwvCurvyYgdZaMK3OhQE=
#=q0PMcXQJxcLLr1sYO0fpyhPjUwjQtInL_vJPQSgCsfio=
!<zuJ
#=qO$LkcjIVULy0PGjvpOiiEw==
#=qyc0YQPNqWwZHkgNDV8lyIQfgMkEbGZtyDsLzhYmFp8w=
#=qhFV5jkshUI$uRxypI6oecQ==
#=q0pfW5T3uO1I6LyXSPFW7Qw==
#=qQ_BBkbckkXGbXV1nE4Sw4w==
#=qYiXVlu3YVR5erIxfIIBHo1Gv4y4z4vrtnS$$9CALbVE=
#=qhq3FXVXLOItNPwDlpFnTKHk3JkInaJiiSE3uR3jtGH8=
#=q1AWpt7Zq4Tx0wGx4hVFZRg==
#=qhg8oaKg1xx$HC$DKnlbXQpibwH2HXqMGSlGv30vEUsU=
#=q66hvvPDVbMv$MYStXtnb6Q==
_CorExeMain
get_ParameterType
#=q__Bys7JTXmAiG9F9QC$wjw==
get_Position
'k>}T
#=q51SFR_Fbl10nUMKjGTtHqA==
#=q3TG8MLoZf1Y44PREVW$6m76IGmuYE_BOhC_OTjkQJFtYWwRtSeFqevP9hiteuLfz
#=qmbdg4P9$2ouafwS8nEs4lA==
#=qudwGeEjJDUB9pt$_k0YOgc30ZWMo1bIGmdknk40OWog=
fefeffefefea
#=qH8FTQLBlM6o0t6zf8SLPUg==
N1-M0
CreateDirectory
#=q8SIEDcn4WoT9RcZmFK9tzQ==
#=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA=
#=q1jj2Lo3UBKUZkdI2bLcg4QlXuNGNWZ$CYnK9VTZNEsA=
#=q8nWzev5go3NKhN5Gk9NzTmM91eKwrK00n3U6GWmH8Kc=
#=qjYgYU6Lnx_W1ikVtBmjm3w==
&&*}&
RuntimeHelpers
LocalMachine
7;TB S
IClientReadOnlyNameObjectCollection
StreamWriter
#=qGqugi8s64S3wxXEod1SSyA==
WaitForExit
#=qV9UIxiLyaOi7XoTx2DUJwr8Ior26OirSZwM3mOvftrw=
#=quO7UmvJ4RBuIIChSn0jx_M$HL4rBuRuRZnNBEMlpsJw=
#=qxWNhTH3aUmlSLTvydVoCIQ==
Boolean
#=q4P_5NYDHZX9MPbDZuNFOAbRpAmJ2c_TFz8M5ulhIFApTRNfzn3_E1__1$MVw8$WV
get_Major
e9j,2
#=qa9HOmSrK7mjt1ZxVRncCgFoJUA6N3DmB1Rc$YUfcSKM=
#=qN1bIi$08taNozgdgDWdXVA==
t/[C#XKs
#=qAM4ZJ3aDwBm_a3IkqHxLmjdKzHIQbFeE9thLHux2o6g=
HostData
ControlFlags
#=qdZqWoaYN68rlMOX4HkTLdA==
#=qru2ORBLxmt_CUDya_FEQGA==
AssemblyDescriptionAttribute
#=qxWp4ETQRrgcfPChnmxhivyMmb5p6MuyluC9Tc_Mhkec=
fefefeffeXa
#=qVQoZlgR59_v4NYIa4CBPQw==
xI"MVk
$F0@_
m1hxT
#=qVHGoZQC06Wdz1fJDKkoeiKu9aci51znqNtMz8dGZQMQ=
PN_&7w
get_LastOperation
%i]xD
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
-(&s8
ReadByte
#=q1tLM5Gk001IDETj3RhJ2ESaIo2XgaV2vMWhqISqSHy8=
#3uzz
#=qRxR4aJg8TX8oM$OpeoviZQ==
#=q2V8VN1ZqnXOBhkZZr6w3VA==
ReadSingle
rv/1D
#=qOxeV7mwtJT4AH3HtBqNUXw==
set_IV
#=qzx697Szk1moqO$yUynaioQ==
#=q2XZFEYqbf67s$PRf9Xyx7Q==
#=q1abXKhVCyzVldE9ra9z81A==
#=qgHxgiBgB0FhzEGOOs2Dqnfh3XnJ7nEmajCNqRqFR3Fg=
ValidateSource
BSn][g
c,g`
#=qA1_qolTI9aVdwnEde3ubqM6zKBigTZiyb5_iHpeZQDI=
#=q3fzZpU7POi9yYKua762KimE0tXDV2VRrjyJcPuwXgTs=
#=qxp6ct4JGLaMDbwg6fkrIEw==
#=qCA$7lFkUlfYTBh0Hp6uY4w==
op_Equality
ClientLoaderForm.resources
-!& 4'
#=qRLk0VFphuSTh16H1MGZUv_HwKU6b1$OQZ0l10zUjPKU=
#=qbbSw65PC$nto6DJiWxTawg==
MyGroupCollectionAttribute
#=qA5pFz5LZPgfUa5zon4beRA==
ParamArrayAttribute
<generated method>)
'ZI&m
get_UTF8
ToString
#=q1t2nN1p2nWkytA1wjQ32JyClWcTGIZMOEV9XOIYf1xQ=
GetHostEntry
`.reloc
#=qoKFLFqm7bb3VWsU2QKXIQ4_6anGbTCWiZAfrNlgq8fc=
+.Pb/
OU)="
#=qLYpbsprg$ymVLeNEwEpYlA==
#=qG2DPieaEKCS$j6T6yTf$qg==
&&*}(
&&*}e
#=qSyCMza09ItB79lrZlFBuQQ==
#=q$mqGRbJ2J2TNgadoLHYnIQ==
-m,Ol
LM|s6&
#=q9tI5WfBIFIPW_84mZnHV05cJ9fSyOCl9wA8lwPxs3PQ=
NfefeffeefY
WriteAllBytes
#=q$XxqrIH7dyYqacMzR_CjGA5JAR0vUKiq1f0DFqS1mcI=
add_FormClosing
#=q0g2hVR4CYkiIvLHeQL6tUkW2KQhRibG1DIo1pReSOj8=
ParameterInfo
#=qWbDVCvJRlY$nWsVAToK13K8LD9gZFcJQAtBUvjDEcyo=
SByte
#=qQ9gevS7b4oTsdxtV36c3$A==
#=qrWKlHKCxTKueolOR4ohc7D_cBhjLv1zNIcftgcigaGU=
0aQ^C
_g0,g
#=qKxL6kQaUyB_6jIG3mQUGOw==
ReadChar
Start
#=qEbf5uxiH92v$7mL0TnmsnA==
haE4k
#=qvJ_V3lJRnVEW6EI74n63zg==
#=qFxElXT3T_$sB_0gpbmQGIA==
#=q7wsNZ$btlm7uRzkYXMkJl8JrBCKSYJt4if2WiKQrObs=
#=qYGU8a5KOsYzqpvljkWGWKuQS9mZuJYQa$8g5J6c9rho=
#=qxRbSDXwo6eARhpCjqJa2Fg==
#=qEn9Mtg$AIqWbq3whj1y5N12e3KXi_NwIIcl2i$FXNSk=
$_di;
SocketAsyncEventArgs
ConnectionFailed
get_Exception
System.Net.Sockets
#=qOn6YhA2JjwnYZ_7D0fnnEw==
8uk-|
#=qu0EIqDRT_HlTe4PqaMKdozL1lQ0SgTtqFucuF2vFq50=
b|g+-
~utVN
#=qI5Vms5JVXaVkwalJFV3L6w==
evb3+sG
SetLength
#=qAySeqCaPs9tWWTa_P8M4Zg==
-l&~s
#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs=
#=qtcncUaS1HcVKUD5AEGHBokWqEL$GDDjoAu8asy_oLis=
ffefeeffe
ffefeefeffe
#=qEDU5bqS$T9T0k2xHaznuPTNI8j4z6II52ItUe0wjyZ4=
#=qXCoQdguduOewiATPKLDvyekx3X3r68VNkZOPBX9O5lY=
#=qvJN63xerlaB42Q0XUG621g==
Decrement
PluginUninstalling
#=qwnMPoJqYBxCKR$s5x3I3EQ==
#=q$sTc1AZMnHRC7q_PL2hWs4JIEJoo88_IAFcWtrdNt$4=
feffefefeY
#=q00kXQ$0a$SV9DIgRtf4NWQ==
SocketType
#=qdw5QBoXX8FR0LrkjhWN3qw==
ReadUInt32
#=q1ZcUbkVKv7wahbk_Am8y6A==
1)!1_
_/o{U(A{
#=qJ2Bo_iSk1Tt7sQHk7C2ESQ==
System.Windows.Forms
7I)qt
GY!>yw
#=q0zLeEY98tybLc8FS6iVEWjGp4MNZxETphcH7ohzBXuY=
#=q7O26Wc9N845khaV1IlgZGg==
#=q7Tql80HUgCLaL3e0n4j7ew==
#=qCSC3Khfzx9$ef45TjPThpcJgh1Y2yjEovdFzCbywzqU=
#=qiGEsYAsOSz$jy0hyBv5MGPdLIlePpwWMgCE_Abe_mLY=
#=qHU4s4cJ8BUWy$MQH9LPGxTniDgLcWFlt1CmhZ7PNRWA=
#=qoKX_5NDx$uDAqG3r2Qdnaw==
-?&~]
IClientDataHost
get_BuilderSettings
_Lambda$__3
He?J^
Single
#=qXjNBjXFhVcOvrRAG8alfq96_gJ4jOa0wwNOaztY3QjLWnMT6wXGDzBnHuUkef5N0
STAThreadAttribute
RegOpenKeyEx
VDw){
#=qX52fPnzDspvxDLERxqgnmVyN3O6kmNVEBrlqQ9OVPeE=
#=qsqmAgLqQh_pOiJq5Mcf5Ii66zl6iLnAX8VtqTy$uxhY=
get_Name
#=q6oykuAaezoPWCQHwIFBGYQJoT_doGKMmOjpzn6ZJomA=
#=qORcQ89THKgijJ1sWRyjf4hLd1g4H_sosI9t_gkVfZ7g=
#=qZHoyzaJ9rjmsFI5qWuYXUQ==
GetResourceString
EditorBrowsableState
B8i"~
#=qRUXz_3fP21juNHWjDYL16Q==
#=qcyp860KJctHXULF8nCr1oMRR0y2kU8XZrQHqsInbsAM=
InsertAce
#=q9rPQSTp$UBZiTGc7mKlh7h1QvRgfs0p_mQAaIRjRIsQ=
System.CodeDom.Compiler
#=qNQZrJgmZwpZh_4yrtaf9Gg==
get_ClientSettings
DeleteFile
&'E,]
Double
GetCurrentProcess
#=qU0vjurWIhbfq4$RoGXKKVfTj5MJBenZeu2wAtoCJAJY=
#=qYGqPwTlQx5HSyCMpKnJtwO$bA4uyJcKD$pA6WpBamRM=
#=q9M64o5ghSlB001vxhTt2kVIQeNtcHtzTvRgoYr2$PVs=
|5rpe7
#=q$JqWZLd6UPV3jmsDHksd2EmkHWISQtPlvGx8vZ7hHXE=
#=qClMnNCTDhIIGUYHmdm$xCQ==
Clear
GenericSecurityDescriptor
U!+sTj
#=qikOQWBxvreUKIkKm4o4DoA==
'6KfR7O
#=qI2pAr92bRdzddapVaPVhbQ==
#=qHy8pXlBCL$mvAXWQDJUnVpxgTTYNWuQ4Z7NdFPUhcZs=
#=qEKdoqcCD2XVb2atXAIOmL$Gnnk$r2oNLDVsEymHbxMo=
#=qU_ZXXWlv_8PtJY9coDWiH8$dVbE9S$EoqFVRvxhPtE8=
#=qOgcjmweVxeuvMU4cvcFOmg==
#=q0qLVKF4NbQlcaunYsixITQ==
ComVisibleAttribute
#=qWCa2pDyuMnzTMLUOIIx_zqZ1n0nAbCh3XpyakFsKTbQ=
IPHostEntry
32EJC6u;IYz9
^RH"-&
#=qFaxhQMbuEyPeOadTfKIzX7ulwKfSulnteVvHU$QDlcs=
b`h*&+
#=qS8syUoAGHVUW8$eQd6_3_g==
-kL?R
set_WindowState
S$'U|
#=qfXdNdmKHZO9pILMTQ4gUIFhfl9KPJm2rU8y_LQsTH4c=
#=q7EIL8N8VWglyI984D7TGpzIPvdOcvYIRRwfMeKNyDDs=
#=qgPQkZ3GBDc371jzhubcNPqmxfqhr7b78DNmenmuxGa8=
#=q85afbI_HcqBFOZnC0iAqsNghLb3LsuyjFtpLEYYoPX8=
ConnectDone
#=qfpNcQ8IYoPRIQgVc_nBfXzVjxVN2nY_mFz$PcDXaKKw=
#=qnk9x1Gmlq5UZ_X95yAl14A==
#=qrpluguOr5I7WIqr51cA8ZQ==
#=qeWvkoUO61qxfYbQKV$cOPQ==
SetBuffer
get_Height
ClearProjectError
#=qCSH0DtnYKogitTpLw_M85GR1jr6BVuF$16hm8cfUYWw=
KseXr
^YkG#C
-&&~r
ptQY1D
OpenProcess
48zmp
uP}b7
#=qKqE6jaRKu5jJvHl8RwywXQDv4h_f2ISEaHK__Drdd$M=
#=qR_QBxpRX$xZ1vjqVv0afDQ==
ZRvcv
#=qYuHUjnyRYHZqCkKAt0jj_9qFBzmTZKte4i1ou04eBWY=
#=qAkkjpY6IHZssIsQ9hAxzTw==
Invoke
-T&s,
#=qGHv1IOurZ6januU0XCThS7E6H0kqAtBD9d30RkoHFXM=
~:}ew`
#=qOsVShdMttD8jGLf8zW9G7g==
#=qEWXagqzV$_PB$92aNfTAHdvK2qw2uvSxy$UVh0K_lso=
ClientSettings
#=qrzlCozsOJIqLxGzoulKftCL7kUWSuMYFdc1ca_yCcBA=
#=qGjStw3GYbvUue5kapeAzmPJAl5$UDUb723PSvMiCGdU=
#=qtLsfqPVQ47D3cdxmiwAJAQ==
#=qnnmAgQGEsJw4dsVn9gN4wJbRL4WqsDa_V0QuBPM2E4A=
get_Chars
Variables
Ns\8OX
#=qQoUfP$jAQrKMjDuqm54QmA==
#=qnaTZqk95Z1a8JBLdKiF8aw==
#=qwyLCYYp4MoTtTA6T$fEOIg==
GetEnumerator
d)PG
AllocConsole
Dispose__Instance__
#=q5j3wvJXlnrGmRnKUHr_1SQ==
#=qyow7wBpiCNNIoap9jI9L3Q==
#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L
EnableVisualStyles
fefeffefeef
CreatePipe
get_CurrentDomain
#=qo5Pv9nXCIU9X_B8SJDUR_qgp7npNK2pA1rGP0GNQ51o=
#=qQJBwIjtEvP$UD5Stcfj2wASGBDPz6YiX1yXx_MSfzPs=
Empty
#=qTZGarPS37Dw3Z3Ipg_AFug==
#=qNdKVs_XU_xYgnUK9ZfVshw==
#=quXVzKqGldmgtXgVm61aLog==
#=qAR9aFFQPEovpFzvfokoGkw==
#=q61s8d6EIAdSsDLLjqchw1w==
ffefeeffefea(
#=q6CxZjTl3_v2RHWKegcqMWw==
#=qek1Oy3FoZ8ULt6r5iL2pEQ==
kernel32.dll
#=qvA35ZDPTM3VgF89oJb9AmWFE4pqnIDYGjeV5H4uvblU=
bIC)<
#=qxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecU=
#=qJRbhy7_BbunS1O6hH3MqZIufpnZboV6cb5Cv4qZI1D0=
MaxValue
&&*}o
get_MachineName
#=qp4XZ9Ss3K04S36I$7WhtwQ==
V._H8
#=qMpgSfrZ_Z1PFlMpqVHDctw==
ubzrn*
a!5aE
X*]x.
NanoCore Client.exe
#=qKKh2V4W51UBGXR09J__pug==
#=qmL2H5Qgs6vv79mCqS$t3qg==
#=qG8K0lOrmHWfP2KExoNv$5w==
]I]XLh$*A
3,bDD
#=qUDQctXsgw3eGxqcYAxP8MQ==
#=qWFUoT0l6elO8yn$hIYUL6Q==
#=qhPT6K66KztLE5cE8YZMEsw==
RawSecurityDescriptor
#=qhz4yMg0WDLwu3BJp4fYr0w==
lSgV'
#=qgBCfMYp3J4fCYU13EId5uw==
BinaryWriter
go,NAw
|I5v}
set_BlockSize
#=qg$lb3t6abG6vgSpzSjJlb_$AIzqYfos5cl9DWFolUwM=
#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=
#=q_gCP8hm5SSW7J$3R7xJuSA==
z#cuch6ZI
#=qQKYqF9uhb3QdjdrkvuxjUw==
LeaveDebugMode
#=qXKuFJhTO9qh0nlK1iXbbSH7y8Djn0mggfIDxOoarDyE=
ComputeHash
ConnectAsync
#=qB7XWHK8gygwSs$Fj70FiWw==
#=qJ598Vnr_RIwGnHqFfQsYCw==
set_CurrentDirectory
fSgHd
#=qHj$POo$6pkhWHVC5cES_2g==
#=qAsEDmMyJR5b6o5oAn_4$qhqe51JCfsU9Gffe156c8UU=
#=qukf_DyAYprvhLsdhT4CGuA==
#=qoTZi9XCxEGJXLELWnV3yfQ==
#=qDEcM8KorEdChS9luywSNQA==
IClientNameObjectCollection
get_StartupPath
MessageBoxDefaultButton
oL)c3
#=qkFwCVmJ2HhZ6r$uKeVZFFfVLdddj$WEInl9bSgbErDM=
#=qEk42FAaXkrNIu2TP76IakA==
.# G'
.ctor
#=q5MtzoDWNtlkksfPTHs5qXlK2k7ZehKenYzDJQrgdOII=
#=qdPDxrK7XRQZlwY8QeW6oe0AEoOr3qND_WVi1o6l48tc=
#=qvRKdouixzy3mopZ1VtjZRIxbtiSW2GAGLD$37iVLn9U=
#=qJLXxSZzWSVDQjBBC8RxpqVbwxFaxTu3ygaLrjLvlmTw=
LogClientException
#=qJAZ7is41tIXMNDQIkGLgjRC15Eis_QBrdFx8JT2Rx54=
#=qqCUKpKbVq45Cc9OUN5wTXw==
AsyncCallback
#=q8GRQigucU81Rfg9VpK7PVLcjulhhYVPijYKMm9N3PJs=
C4rwC
r[D}E
<Module>
#=qXz2OER2RItZOjngvYurWLQ==
#=qXCUD4SfDr7DmFI64sweGXTg5Ns_ZxTOZPqBRcEKWTQk=
#=qhVWucYSqOmMmp4RgG95tFA==
Si+ze
4.'[G
ClientInvokeDelegate
#=qlMIFeU84lweg5Ul5iSg2vZUvNnPKw11XA1pEUQfzDeg=
#=q3d9CqFPpPy$rBhZvyFIRs_ElAFMHTo4ZZuE_g$Nfrnk=
IClientNetwork
#=q0myQQ6i89t9SZyjYDXZrBLa9ljWEUD7zAwJyyFZowQc=
#=qKY90T141DaVDQT0DHaMEr8C6aPEoolamkqMM94Ir$TE=
#=qM_mpCWjOCBlruGH_QcTQHocD7LUJCLuKe8ntf2VtQlk=
IsNullOrEmpty
#=qD3hoTFeBJT$SvX_fQh_aIw==
#=qs202XG_JxpBwpKhptOZhRA==
]FG;K3k
#=qJMNT6BwQKSi707UHw9_x7oci6egKjto_AgHYlITH34c=
#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8
GetConstructors
#=qVl3h61LTPSW_ew_st_OlTAm7x_6Xu4hQK$pi2fSiEIs=
#=qSpdFO0arrQmbwA1JpPKL4TCAmwZYVDNVmpRQ6ryTPgs=
Contains
ThreadStaticAttribute
#=qEhveuZChxbRj66Cj2kCGjw==
#=qIe49uN8SyHwjwKdv9N2r$A==
get_Assembly
.*%6M
GetHashCode
#=qA4f0kKyGXTRnU4z03oji_RIPyVnvoC_BRjpESDLHXqY=
#=qL_Q_RdUm_wJ7VeVwUqRXbA==
DESCryptoServiceProvider
#=q5WjY_m3ubVFfbJuyu7GMxA==
#=qrJaovDbn6146mBrhFbUMbw==
MemoryStream
#=qhA4OqIvVSMpJakxtoytoCw==
!U7aX
#=qTYemjRfvVDuBO5lrz3Aq6g==
#=q35mMBfMcRRKrjeZsPOCz3A==
SecurityIdentifier
#=q65znFg0_234nfnhL4I8yRSIMDpdjAosbzeDfyRZVW08=
#=q_5hmJXim2EG1abw3Kju8nMffXDIbl5na4zXqclsRK_s=
#=qAzhW8LcEnUCELlhG4klMCnw00GcHco1N61RthSA9zQU=
#=qjcSlrUNMLgvZWN$58FXdrl22$0OjCpoqksNsslRtIFE=
set_Visible
-SK1$
#=qmLTtz8OEDrkzFTzYkI_Dg1dvKwiGw9blNcZSU_QqMsg=
#=qi3LnKomYQ5KrkAbxbJpKCg==
#=qjAD5jc_8Kg9x$NoAqFAvpA==
Application
RemoveValue
#=qNn8WS2rooUJUoMsG84mQ7PkK4IQF8$E42cyDjfL7Kqc=
X8.2@$3
IsInRole
-,& ~(
MF{B.\,
s%dEUK
_}<>b(
#=q6TsObh1LqPbvVPPz_YjbtgEdyXL$082jRqG42$db3nw=
#=qq2h0VNJ4eWuHP5LphH0mpA==
#=qGWcF1$SkVAOkK9Bjc82XDg==
!V,(q
GetManifestResourceStream
c[Zpv
set_UseShellExecute
get_X
ffeeffefehah
FdlvK
OlfJ@
CompressionMode
#=qkzr_P52_BAWJXliKWvb8Z6oiWEishcUAemTNzwiiwkk=
@DFe]g
#=qhYMTmNdkO7UsEcfduWinsQ==
get_Value
add_AssemblyResolve
#=qee1h2XwRBJvy2g__X40enQ==
#=qFNeaOBvMHuebCbgh$0IKkw==
#=q$jOt_Qd3idEY2i2z8zIong==
#=qoStPOR6UymX3IGbwW$iFxA==
#=qkxH2pC1tIcRyW8E4TCtfHw==
#=qecBuZmXKFD$jZa5T0d0L1w==
#=qwrVB2mw7gzmYRanSJvSoPg==
SymmetricAlgorithm
(~3c82
.cctor
#=qGGQk9IvbDfVOJG_jRDHqOA==
'UD_'j
GetParameters
OKoB<
#=qhSKaq9YW4A_ja0UC7Difmw==
*%x(#
#=qr1BSJWWt4_gjKhDM1XdrUmEEDWmH$7z1xaJvthJ97EQ=
#=q0yJsLo0aFpSu9ky8R9f$lw==
#=qbbzTfwYbEfmovMRrVY462ipA8X_tt3oO3M_wSSE0I_A=
OpenRead
EventHandler`1
CommonAcl
System.Collections
#=qW1UvUJT2hH$HRJ6kt_DhXQ==
xFPb*
#=q3VDCpnvucWhkt3J6zytXBA==
#=qo8wG17V6QHcxsU4R0xmY_Q==
#=qjVLlQtRAzKVOtyLrw5PhiGVVmXqMJJOsTT5DxaenWCY=
#=q6FX$JRP_bY_ZCQbx1UwWug==
#=q7_KHECinDx5vq1IBX7p8Ow==
#=qK5Mf9uxDCjwDRfyJQ6kp8A==
#=qx4AWw22LafncEy7CESjbGQ==
c`RGU0
#=q1Ld$ycQpy0q1QvYRFk1k5lwgysKVR2tJyNFjakVtbYY=
#=qVVQJ$z9bl7kHgfvJohZnMPofzhiFJ4f4yMGK7Tpp6xg=
_XvmS
#=qFWLbBQgFiIpy22HFbhF9GQ==
#=qmvGJ0E7$XHigSQAtHtZ6z$on2iAwFLBiFtrUR$DFhQPAtVI2LIgzNztIgPvlO9K$
#=ql4R4vy5H067cy2C3KkF7Mg==
DefaultMemberAttribute
#=qGgXamaT7IeK3DM0oRfGI7LZg7FrEWNz8CI_5MUlFEJw=
#=qo_N0HkUaMUQFRCOsgr2ciQEl_IzgJy64oQzCRnN$Qy4=
v_E7o
/.ffefefeeffe
#=qFBEI0HItLMNpyOY0AgRxSg==
KeepAlive
bZ-zT
#=q$E54nUJeqC5jURP4oCRU9g==
#=qMMkhBs_8vtf4989qCM6TUw==
4'aDHS{D<
#=qUzL7S_0eXIkbwTon4AS_WA==
1j@@C
U&3d>{
")cs`
Restart
&Hj<q
#=q9VIijSO53lpTS2jV37$Suw==
IAsyncResult
#=qxHMqkcY5ri8Rsxs7KCJ8ww==
#=qv1Nmoo$HMwdd1A0cX75UdA==
note!
TextWriter
2H^}~I*-;
#=q4rZJEBSRFNm6PYOH7NOLUg==
#=qZbWC$V5YeersjeRitYkSUw==
GetDetails
#=q1t2S$ib6pQFvBWAJfG9B1Q==
set_WorkingDirectory
GuidAttribute
#=qrEy8UTPh_zjKUNPlgJ2H5vQaVxSgPloAxSMCkFttuk8=
AssemblyTrademarkAttribute
#=qUlcwHJCewxIUk2tiKMDjXYc$Hb1k7TCZCyGdm6C93UA=
#=qy2xCoaL3Dm6E0MYt7i8x7A==
W\q_b
DateTime
#=qh9KSqT0kHBFSDanZ7gXkKb1vdDfzZS3JIRcUnMfcljE=
|"{t8
#=q5uvtKo7rLfT5wGY5TBS4ixmbpGEL_B71rwbORlBpBKA=
{1RMi
#=qqn0Pbku3c3j14idd7rNOJmIbi4WueHDQGNjxpToWe9w=
#=qfGQBFs$OKLefNYKSta_Lbw==
#=qYQagvH1k4NeWsCidwFRb$sQTZXPGouROQfmoImiPGDo=
get_Version
#=qCI9CHxEGVm3HnYdn52IpdQ==
TLDP@
GetDirectoryName
Thread
#=qruARjy_8oZkz3lsHPGxBMA==
#=q_ux9H7Sh7a2A98b6QB8m4w==
GetAddressBytes
Directory
U-hW*
#=qgbI51haY38WJ4NumXDqnLC_uKv$aRHAyD63c9HgGYzlsFjikAASqT8RCSswEMouz
IClientData
#=qrcOHnfaYxPMN2$QaNhNmcA==
#=q6zjWArzQ8Jv_1waqxSeP8A==
#=qWFEttW6Y2i$LC7_zLCNdFCiHtPH1yR98w7TbmrS4vUE=
#=qP05CRmbt2pJg10eRU50wu1vx$mfteEn$pCn9SEbehP8=
SendAsync
#=qaSWqhswYp72H_CatHelXxw==
HideModuleNameAttribute
#=qrXs2l$bWJlHMZLHncLNYyw==
#=qeAiPMWOD6_wvQ4$bYsFv9GLgsem$trQFsnkw3WN9igk=
JUz|G
GenericAce
#=qs77tphQ2NXlLwCZkimhHsowpXGqSYmOGtKiGHHIs4aA=
CommonAce
_$cN4pZ
#=q8FSwXWaEOgeGW7OlBosSfg==
FormClosingEventArgs
-\&(#
Yvc),
#=qY9NY2gigPsj8X4CYx0UCT2vGlqkgsq6GuC2fWqP3Voc=
Q!Y+M
#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=
set_AutoFlush
Exception
InvalidOperationException
x&bLGY
05MB0
#=q9DR9MBj4z9rQMPU2Q48EqjtFhU8AMGWHK02_s7IakJ8=
get_UserName
#=qJ8bMKCzzllPDbJIfPSoGMA==
7&NM\
#=q$fGRvwQxjFKeY$SH10p0pyPTU$R77VMKr3CcLFQeQ2Y=
GetBytes
#=qGzqsy60d_qAVRip0TvyGow==
NanoCore Client
#=q95w9MpaG4ZcgkGgnmQITOdHr5IaLXD8aC6o3EqtE0PQ=
eN)9qy
ToUInt32
BitConverter
set_Position
S4ub.o'
#=qAk5SEnvr6iWKzWTaOapTEA_BFwuNkz68xuZLTnuQOh4=
#=qREZQml1AE$F8eb3teEaUmQ==
GetFolderPath
GetTypeFromHandle
#=qOR7qPTYp9qHTyadzUKgUYg==
#=qxH0vEx09STdEljqb$W1E7jvc94T2TeZBAEeRdiG1_PA=
EventArgs
#=qamR76KZ1klLpv5s7oSbjxA==
W5LWz
#=qJBJs_Q6YmbNTnGoWFx0s8w==
get_Current
#=qtxap8xCUFH7z14nNy3cjjw==
FileMode
#=qlzCbqLxFuzycCPDZStFfAA==
{J82]
#=qd5f1i4cDO3tAO_bEb7g1cw==
#=qfHad4tglpNfnMqZ6nFkPPA==
#=qZRkZQGrnZUWoFBVE_TP$5Q==
#=qS8q1FyJsn2_ukKh5ONBATg==
#=qA$TQXn2i$KwpdqxTX6vvVw==
#=qEIGjjvppBA3BShbdBfMkQQ==
%InJca
#=qOKSmYE47P2z$UXqGETlnfg==
#=qbMe5UnnXEF8aurHaZz6klA==
#=qDH4GuNn5iW6RFhEPrfs$pQ==
#=qJdNCQZ8JQCfthL12ut8Zgnr9$rl3CuJQ4GAn54E6CXs=
#=qAsxHG9v$MAI6$NruMbxEjA==
#=qk$cpdn6seqbcKjxGnztc4w==
($(6h
set_RemoteEndPoint
#=q5hEV9yBEvglIR94FFM9OBszK4aiazrmJrQshba2kpDY=
XKic8
;_Zf[
#=qcCYGLZOh9EpzU$sjJG8ZyQ==
#=q79YE7jk$t8I7uIUVykHcVA==
#=qF7qP$SJNVn6Q0z6ARFaJgM2aiYbkFhrfYn4Rl6Odj3I=
lWKhz2
#=qQtwc_i6uv63Hs$aOrPLxrMU9lMXbhRW79NANZrRxozw=
TransformFinalBlock
#=qDt_4RPbN$YmUyKsVRrbzrjU6uaXWwjHkaZoJAcuFCCs=
#=qP42Tluk0y5t5VrN_nwVhnaX9baaRq2NaLaW6RMHNX_k=
/QX}e
#=qrSKFiRrFo6$kUL7kjfG3zg==
CompareString
ubd_A|^
#=qdwmMObmoGgv5eEpelZDrHiipw5mUgryufdcXXig375Q=
get_UtcNow
#=qmiBgFZvSMQ4WgT0UQIJlEGkYZhWP0gsBGd1anIAH4so=
#=qKKJCW_KTAsIH3uNlP3Z4Tg==
Equals
#=qDwymJFr9Z$8uhJ6g7so5xw==
#=qWrm21vQ8CBMZP_RBTwpusA==
#=qABNlGFDc7nOg_C39swAcLA==
#=qTMXjZFh8G1ehMXQzo1c_k7izR$ZNvDyCJY5aoZ0yOe8=
#=qwHAjqAoc2lT8vaebbsWerg==
#=qyI9vgsKRXHDyyks4VCAjzA==
#=qLLh1749MqIyRucx6BFMp7Q==
G3feffefefe
h]rYT\
suq)-"
>Na.q~
#=qObBSq08BLhHK8B6pYQSLOw==
#=q3p_D2U81K1hW2D54P32yDw==
_Lambda$__8
#=q62cZqzG2QOltpyG5v7exPQ==
[SZB+T*
B.u91E
#=qiNB6YyqAJbx2uPAiP1Ihw9dTNEtwaZElmpYLZcGO64Q=
#=qtcl57G6kPr7DDYeWeY389w==
#=qQ7tSKwAULKz8TSFsLbtapA==
Xj08'
#=qOmCJCQ4xVqqqlvNEZD66Wg==
#=qTawRDksY2KFvY5V2vw1_pA==
`uc0^],"
get_RemoteEndPoint
2jx>7
#=qiJXCsKWBF9DB88uzW4b92A==
#=qo8RCFr_ecPE9NSA5cyD6QQ==
#=qQUdl15sQ0xTV$45YaAtVB9Bx2NeRc0CC_5Lr_HuNXwU=
System.Security.Cryptography
#=qw42CdKVHw2dycv8VU7DItg==
dyt-W
TGpuY
GetValue
Enqueue
#=qeADSRAqxC2FlJbA5Uc5$2A==
#=qVqTMYHwCmwUHM6kkpNkbGw==
YV= J
#=qwGYG3$xqr6oMjxRyF4i0Uw==
get_Count
rm-^|
#=qRtpaHvp1hQcEDS$UubP_mA==
#=q1r$Sd9Acbw6KsKv_F9uYTPvvGAfiEwUnai9OGYAUQBg=
#VO'S
43s@a
#=qL2Az2fdQv6DkEBC_x$bbMA==
ProjectData
#=qWszclzYrfU2ikD2Jo7BLiQ==
-[L=k
#=qcfHq18AlWjOy12tBCM8Tbw==
ValueType
#=qaysgaPdcuRrUvev6__tYEA==
EnterDebugMode
ResolveEventArgs
#=qokX_wSaMFvPLXvDQY377gw==
Delegate
V`6Xa
Interlocked
#=qs1aB65G6$bPi1$cdOrXkCA==
#=qFWCMyHOrl7QbIPkMYdiWJg==
#=qM4zv780c6Jc3GVu15xhaulIEjuiWD$RKEtosugOXKLA=
{p@==
MKV)/>
#=qnDLRD4lBlfyGeJyuSeq2WA==
-/&~J
#=qd92UVUgmlXoQZdJDkVvBpfqQ5IrxjaeWORyWFC422PQ=
NanoCore.ClientPlugin
#=qYCS3QLrXk$FWhHR$BIzDXQ==
#=qJOtLSdKNdNGjNNoElacScY2TTWmLUvN6XZsl_FLfP4o=
get_SocketError
#=qOgNXWEIS3IQJCnff_sTmrA==
v9?*<
#=qHdV5wMNiXS49lDrqJF3pqA==
WrapNonExceptionThrows
GetType
set_Key
#=q3C4Iol1nMl5AFLWNdE6nxB2_kG0uXzx35vvsn$gQzt8=
#=qdiuHngY4wejUsgFY5u7CtQ==
SocketAsyncOperation
gw~L\
fefefeffeefa
#=qDTvHA26pSwiGBDknUzewBVNt3YGW7YeSiQRH8F$_CMA=
feffefefe_-
Version
#=qpSjmalSIZ6iBUAWRLBOkQ5sPqtZAetb$LjkOVwAdUac=
#=qD_C1_4vUU8j6eQSUvsJDw_O6DZliNi$NDCaON05RwdmBpVqAu68W00hmx80mCKp6
KeyValuePair`2
#=qbzig1$2CwLluEJt5uPtpgqPx5y_2S$GoPgJP36N8bTE=
#=q3eIsVMg85$T5I_yeach_tN$TJG7$vFUaeExZx7tMHps=
#=qxLboOdsVFLmyLD939$tUsnUMYRMeFnzOLiWxQdY7sdc=
#=qSl7F7iXGTH9iNXHds05fxcgA7Cydd52A6vZtHH_41F4=
#=qCy_StxaanQioOSGQ9LimCF9_Wy9AMBNKclrIIUI0AWs=
#=qUomzGDQTZY7jASgBmW35Fw==
#=q7Kx5VWqZvUxLZ2L5c7WH8A==
ntdll.dll
Wq(`eA]
feffeeffeef
#=qc46h_4WA5z0UkWODs1nwXg==
#=qB8Wn1MJrSNWupWDx0sYcAQ==
Mutex
#=qHtBOSXbLfhirIdzL218uOQ==
ClientPlugin
#=qeXI2ChPq1TaKaY8cTwWe4uWAyXSGUqAWxM21uH$6gYc=
9feffeeffefe
ReadSByte
}Fu"$b
#=qo734_kbse$6lTIlwlz6A8A==
#=qhnLoeDP_EbzJexQQPp_LLA==
3[@N:
#=qnDc3CmkCB1QeN2dXbmqV1Q==
'5$&;
DebuggerHiddenAttribute
#=qfoMVJHfk0BnMs4x6mHO77Q==
#mvl9
afeffeefef
p20S:[!
#=qWsrg06gTzsE5hhHu57fJFw==
#=q$6Q_u19FhL$wNOun9AB$CQ==
#=qW1Ty88cS3yMuRwgBrH3qpw==
#=qGPdnFVTlqnS4tiFpuQulXa$2eC7Pe6YqVeImkUGsMl0=
#=qXOmEbR_8DUzPz6sW4Kmd6kaKUIQOYZdTpvq2CkB17PTlG1zEUgI_P4skJXU2VwtO
!7k&Y
ArgumentOutOfRangeException
#=q6uKQziMZIL8_PaX2KpbPTA==
/l\g06
#=qvz1sVA0ePAgs1nzIHQTFVtjljpeJ1QO1S19vLxn8DMU=
GetName
ThreadPool
#=qOYQA1S8VHR$mOO6XXuyF9Q==
Control
#=qsB4PatedVyMOyo9s5n1OTA==
#=qi_z83UuaQZa6UsXCAahbTQ==
#=qQqZpewiWxGMAW$tQ9Rz23Q==
c1 [1
My.MyProject.Forms
Vy`?:o
0J8>')
#=qZvjD49iuetyLKBIiF$ZmjA==
EventHandler
StringBuilder
get_FullName
&&*}c
#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA
#=qw1t7iX7Q4P$CBQxdhg13BQ==
#=qrQRxQdT4MC1qfwOd4n14uA==
#=qa3EpMqO3KVCTrDUnetWt6fRbeWox1uN3vfSP5v_W_wc=
#=quebj1wBCmruzAKmg6Y4Igg==
#=qhme1CFqs_evb4VXik7N4x7lNdqSfuNy3r3OUWZ1V4Zk=
#=qKpwDTqgBVuprqflj1$7QZw==
#=q2Xp4jW9C8Ta21HxmpVVhKkrHyOAsktLziyvL$pPr$5o=
#=qCaHpjtavBmCU_o5x0kJsKA==
#=qxG1wJpkOHyc4AD8gtAdxAA==
-<&~C
#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=
#=qui$hq6ka6v3VYA7sCjpJmcmNECKESf33DUzrmeSOmg8_E_GsgWi7VMMVWUGuO5wH
SearchOption
ClosePipe
+`(Gb
#=qb0tmyILenEyH_R9DXJFwB5rGNfkKkR0Y5sGtBRsV3YE=
IClientNetworkHost
#=q9Dmi1iXzL1JAj2RiS$Q5mw==
krmWR
,$&s:
Microsoft.Win32
#=qqRc2eOIidDtWq4y7W2lAhSyv$pBRJdAsYlXSRUcwizw=
#=qvbTNBihG2zARsewkRIFTSQ==
#=qWLKNBubktRcyu8vI4dIAJNOqajvyL7NccmUEC4QD9y8=
#=qHiBdWLOLLVg67b8lN8FRqgmYNWZfcDieu2MH9_zIY6Q=
#=qOsu3u3mLIa8ikCCuCoOv_w==
#=qs0qPjhSgxy3k5gj_gt12EQ==
Component
#=qcrlhteALkcfYnKFH$UWw$HzZqj8gdN8_KwUKIC_ywUo=
#=qXuSOL4ETByiwdARI_Ds0Cg==
ReadAllText
#=qUVvjDZc2eypEDWG9cFZdTg==
#=qP6OAxyfxw$Mj0oVKCDnh2VZfwY2Ap_uDBmUyxkn98Eo=
#=qsOMWyP3LvE9$utIXVnRnmQ==
FileAccess
GetCallingAssembly
%vz4x
#=qIOX_rwHrS_RLFL2igzRsUQ==
4FS;,MM
#=qKXWwuvxG9klNObPbc$UF0LIw0aZIk7Z0VPIncl8uFJQ=
D|3[5
#=qhv_9OQaSyr5PWElvgkBxFw==
.a;*x
get_Variables
#=q_UogavoS8ANyZp2cF0B9t7qG1b3QUqGTYeTlmQIKxqY=
G&Eg\
!].p]
#=qU_UZ3uhfwWgI9uBw5HT3xA==
#=qbFnmVfulgLVjclcqmmhqFw==
#=qccx4d_xNMPrZUHpmyYb7fIKkXAFa5XEyOIxXg$XLtBw=
#=q9WHClFSp7T8oS_DNFEbAHQ==
GeneratedCodeAttribute
#=qIKJSaaKraxRzi3AD57FKg9MQkSdmOqUcHNxKjSZFGkg=
#=qixBu4j6Hm11f3$mLrzkCcE4AVWtWeNn5nQguwdGbWGg=
SffeeffefeYa*&+
get_ExitCode
mBS|c
set_WindowStyle
#=qRkk_hj7p4gbUu59IVllqeQ==
op_Subtraction
#=qy1cXcK8A6uRpLlCz7UKkNw==
#=q_kGyEn8KrmBmt5M1N9cUSg==
#=qSJAMGBE37IZjr90jS4_MYNWNa1$s8PXhOErbnAhK_ZI=
1.2.2.0
#=q$7KUBFuOZT85iBmKYeGgXQ==
2N`i!
#=qFU5Nq8bBPIPoBGBl$k8ehEhmgSoFzsflrFNnOQsCK6E=
WdSH6
ToLongDateString
#=qpNR_LpdLu_eSOZVgxbr8UFRlKjbiBX7LOuGAbGS07mXUJI3AAilu14uPN_kfaTpW
#=q1vWrLhskrN4OoWzxKuDDSQ==
Increment
QueueUserWorkItem
#=qyo6slTMfgD8IrZ7nr6inHA==
#=qz5nGZygXT2sWR5FWGAcAzA==
i,Id`
-4&{c
CloseHandle
Qo)hSX
mb]OE)u
get_DiscretionaryAcl
#=qyMcWoZuG7jRWeztMnp6fPmxxmqfVgP7DLzGs7HeF4Mo=
#=qDJ0VTVPWfAWYghKX_DdnsQ==
@4;oOB
#=qSh9$w8INPkos7acCjV2yFw==
#=q99eEsMLSp2$EVfl66Ua2d1YMqB58RPj30lLgJzJJ64o=
System.Diagnostics
|.euR
#=q8xbuK7pqyq7mWB67vviBtOo1WSCccuR7xEQnGnyxMyQ=
)}8.m
#=qtS81hD$ORACBvdEkFyqaXA==
c_Nd<
#=qxG$Aklpbf6gyBfAqTMmORA==
#=qqj4vWwKBJgvjF_JTc8V9cQ==
SetProjectError
get_AddressFamily
set_LingerState
#=q02vg4rlYSKrSiDNi4xWbtg==
@iOLO>??3
#=q44BQlEuOnjFd0LbnzKKIIg==
:hu'a
CLSCompliantAttribute
j#'B=C
#=qy7SaTx6mT2Pix1CP6ET1Hw==
b'Ohi
,Q:i7
#=qyU_gXk4hv73zg3zoSZSLhQ==
ReadDecimal
ffeeffefeXa*&+
#=qpXMe_UDgWsOaRVi$02jxzg==
#=qM9NIml9iDZh$Fjh9MocFWw==
#=qVqLFp2u1the0Txg1vhieSw==
NW@5q
-&&s9
#=qmzYu_D9f4dvUPauEaU7zvyNjCyGp_73Xn5SffrcfQAU=
Encoding
#=qZDHx38VzWszDP$NdqQpGo3ak_Z$zbLpODJse1_Sr2hk=
Dequeue
#=qi6IJz6lHhd8GI6qygHcvTxSTD2wk_BSYwC2NR2eR0yg=
Ko*/B
fAE`C
#=qaPkEKJmdD7BgG18R0WsnHA==
FYodp$
#=qbYAYBaHwcEbf1CaxjAi1bw==
#=qGjp0Vb6efONwANkcKrMTkIBxJvr9AleFfJriudyTw3c=
#=qpghRvZG4ZfcsmvAYC$o8qN0WjB387Pn9cG$Y9HJ3uwU=
ZLvpY
]%vkmj
BinaryReader
#=qbmVTgf9cRSZkM_UgFSJrlQ==
#=q3rtw1eBB$yyPLXzQW$mDOw==
#=qD4n8L4W9wQXrF7w_31K9bjmy3jeB41mSJJrYkh6lpiE=
GetCurrent
#=qdObzsTSX0MpvDi$OPjsFh219oh6Iw7DshgNWGveAvBQ=
ConsoleApplicationBase
#=qRIR1iTmdtHs$eBwEdoKphw==
#=qth3CIdKay4zIa5SBJzx7eA==
#=qglhcKpwNlOshaHMfwiT0UA==
PipeExists
#=qFgBBonKcV6U3Je0BKZZdAZdyEla0MkDel5SRrEzLUvs=
aBXL!C
#=qwTOYF_qEkI0dXowKJYtI6A==
#=qeE3S$kdx9R0s10U9GzzcFw==
#=qNZVIIdU4QECigaum94nwLctVkDSuRt$X4_IjuFpWVuY=
#=qRACckQ0ejzlKZgeXX_CPJUyKbl7Zu7QfhWW6eMM03VPusMYB8LREfJZQVcTGHBm_
#=qIrsTmpVUMRgxokIHlpGfmLtKeqxo7vQsjSkKUKFpH4k=
#=qt0$GxMKBUHqpa$X5z4IJNA==
#=qEVnoj7wKonGmgnYpK7PNGg==
#=qtz1ayBjdbHAw$ecbWtEnYJXs5RBd798kqoBvIJunFxc=
#=q0M0RRypoNIjajWAugf6WjbxM$GiKS9VjK_mg6sI0TI8=
ClientLoaderForm
#=qqMkZyGiL$PHkYblZrq1S69029tlEdPXkxbM_smmrcRU=
System.Runtime.InteropServices
@pN_02Z
#=qAlVTP0_ZXWJdoW5RI3VoXQ==
#=q_$06eDx4N3eSJzkchUhbnjKtHnRsckM7I4ZqcwfQO8E=
#=q_jQLaNdtSDa6ovA0VGw50w==
#=qyNgKOA3iTYvKx8QtBmkDXA==
U/<Np
get_StackTrace
#=q9lvTmS27dN6FAh4mbOnRsQ==
6BAna
TMpO|}-
Computer
AceQualifier
QLgQ=
#=qdupfYLPCEHNi$xwR52i0Lw==
#=qhRDMBTieg0MID1DJ88eKUA==
#=qj8dHXOkfX1HmIFktLFgFBNrpDhCGGJk0RPJopDOaBy0=
c!};z
DisableProtection
#=qyGoc_ssbL9RdagmvuBld1Q==
fefefeffe
nT={iz
#=qMoRe_p4fasg7BcMJcnicWw==
#=qsx3W$FQbKM7QI$Z1TXWW5A==
#=qO4hvdkAW0_yOcwEk_VD$lw==
#=qaxeBDkuvv4PncQ$UM0p8ag==
{4u-1u
NanoCore.ClientPluginHost
#=qy_aVo5ze7CCnCYXCQvhVBg==
RegQueryValueEx
#=qaRJX6K2L3xhR1w3zuwE79w==
Enter
TargetInvocationException
#=qbNq0eOj9Pw66KrsrDd4qnA==
#=qOTqiIHVN4TWDu4_xhgbifQ==
-)&oN
-7& E
#=qZuX180bPJwK7MhIsqenk34Le3ZCQFFLgmBb4sMlYIpg=
#=q1kCP32T3CbXwL6JS3UekkltOicB4KjO4W45iMQoNvNk=
HOf{`
#=qi1H2yZDbCxvPo0ia9nVnuw==
mscoree.dll
KNTzW
AssemblyName
#=qnOTCmwQWr6BtiNf9ta8BJg==
#=qOWs9MBREWujnaIdYgAI1lg==
DnsRecord
#=qjryTBW16mUfo_ItH9KWoGQ==
sUjT[
#=qSoHRCAcaypsR55EueXBy1g==
#=q0FQ_PiagXHm_B8aG8Ji9Dw==
Compare
#=qRHdMxv5xMrip5nI3eHU3Y52nJ9DhG_ImQVoJh$ooupk=
FormClosingEventHandler
Operators
:UkKI
ReadInt64
#=qNsyg$dsR$GJkSvK2TftGTNPuC8S809j_UmmfNnXTTOo=
psapi.dll
b0+MtA
#=q6odj$nz79NlWTFUK6$Vbrw==
#=qzjreg8z0D4BPrx4RxUJBoQ==
}*Skz#\r
BeginInvoke
#=qj9swjNLNpEBN8mkOlVmrOw==
|txmy
#=qRpw30Lh0nfhDryqjhyjikg==
#=q2l$b42bR_hlbzUjQTk6vFw==
#=qWBzgr2CJEoV4DPIbUzdZZA==
#=qWsAxoahmYzeECOO4WB9kTg==
MessageBoxOptions
h;?N^7
#=qF4e058OW__NtTzhWOs1UXEJiHrTSwnIZ3q2u9UaLbo49AZaoog8nMfoDeA9BGVvy
get_Connected
System.Runtime.CompilerServices
#=qDJ8UKTQIGM$_7XkvuUdssA==
P1K.d
#=qkbMW3ViV2G4xkJU4KS4XYUwKzC$oNmhjZ49L9c8BrOM=
#=qCPeeDj1tZ3_XePWJJx7FTlBzWHbtSGvCe1Je6nRznW0=
#=q8fYxP$_i6Xk0$6OlSwUHKcvhrevHxLXqXqvszBe9OtM=
Exists
#=q9c$dxNln4J1nxxC7UNVnfSKvSgKS421$zTS6z9ahlusddEno_MZclU7Qbfc$Fyw5
#=qa6Qg4SaIgpIknX0EmOdEQg==
#=qSLl9utb6ViD7fbZHSox8oSv7PZDBMO5b6MBr_gzzHF8=
#=q7wyeNFqtiGUhQt6sicod9g==
#=q4P1tyVDbmSIMgskx0BrPh5ZxjoQy0earrulDSsNhpg8=
#=q4fCxMFfzJ9KgfK61DJRvZ5wDvDfYnqR8bhY6TGq9aRk=
GetFileNameWithoutExtension
.text
#=qg61MaViIt3ErBjuA0N9Xrw==
NanoCore
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
+# S&
#=q2JCFpXLqGkqf10Rox8zrAg==
#=q3_2_t217j7pS3JjemZNI07w3dukMmHXPSE5$LTnvGS8=
#=qN$clRL1tbKGnARF7__FwJg==
#=qoa807UEkAFejsz9ub3crU9Uahxxj5JIyAtKhnrEn$dU=
IDisposable
#=q6W8MK4LKkww2JvseikWqeA==
.t}Dy
xD1\GA
SetThreadExecutionState
eHngd;I'
#=qQCd2OoCcjOFxsuzhZKv2M7$UnAX8JX19NdffDxgtv3I=
WriteLine
#=qZnbTkU5kDU8O8$hMGiNZlQ==
$#%#&#'&98:8;8<8=8>8?8@8A8B8C8
#=q4kUEXPi93MnvgzV6ySNPRQ==
a%sdRwu
%5HEl+?
#=qeAvM9D2ZXEFg7Zo1J5PeVA==
Connected
ThreadExceptionEventHandler
#=qqsKAc3v0igxVSmn4Feg8q$1tNTWiqtCBpA_xMlgU$f8=
#=qtkqHWk1kvmO5zt3tTCyF2Q==
CurrentUser
#=q3vPs064Rj1jBOLtFVqV4DA==
#=qYfWGXuhZd0cmWjiCvW2EPw==
_Lambda$__7
Initialize
B)b;q
#=qTKJrybVS3pgV4uZ4KNtp3g==
-,&~~
#=qxybSLhWq6EDNDl0$FuPN8g==
#=qGfiJ4oSCDzJJaNmf22anQw==
#=q5esm6BVWqrzEai7Zgw0cmQ==
{%PH7M
advapi32.dll
#=qKXbEtqEIo3E2xdYWIElxIQ==
set_ShowInTaskbar
z7zqT
get_Exists
DiscretionaryAcl
&&*}n
MD5CryptoServiceProvider
#=qiO2giJomMFK1wa5$389nVw==
System.Windows.Forms.Form
TimeSpan
B8h%X
#=qe99VPFgyNENK$KtARK_iPuwvOEw_NRgC00PdG55dmGA=
#GUID
#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=
beh~@
^85<E
#=qsY8nKQa1iMT2g$sVoLy8u9jrLGP9DMATpaFjFx3wjNU=
#=qR0v_DeAkzbUr6_Md5tN4PQ==
BuilderSettings
IndexOf
#=qovc0J7K6b9Eq_C0K46rbmg==
#=qoT5qP9FYCI8F5V3gKO7eMg==
c@9J`#
#=qzzNUaijPluPyLfyxwDObxw==
MessageBoxIcon
aJCc<
StandardModuleAttribute
M8w<+
Rfc2898DeriveBytes
#=qgAKbtXqj_idozuy66wPGJA==
ReadBoolean
#=qlsj4Kl0M6SYgZMJLZ$QkSw==
#=qFikK0kKzvE4fvbzxpsrllMMR8oLIJtNPAGP1lZZ4prs=
#=qP_nucp5xdFjeAVWRfZ2XfmvYhkwWbeeu3y2fkxvS0yA=
Enumerator
_Lambda$__1
#=qPjPHWXGbaA$51Cna2ZaMpQ==
KJkhAEW*\
System.Net
add_Shown
#=qC6KOBEMWwIsQr_847d$S8A==
#=q7YEFsRA19ZrxKTBeL$y0fg==
#=qlFQRS6FW1ex39P1F_VW7Eg==
#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=
#=qXkgpfghvTKDZGlXBGI4x9veQO4JfjF7GW2ECw9$L3EvyKZGOnziwXE2Xr1EkpRwe
Microsoft.VisualBasic.CompilerServices
GetTypes
PtrToStructure
OpenSubKey
l[WM%
WMPZv
#=qwVGSEK8LoRuNWEOYfq8$hq39mmxHzM3pIeoRef7XNt8=
#=q_WoKv7McWxMc2YtmbiVaCw==
dnsapi.dll
#=qVIikDYmLtr_O$2vZcqLhHA==
UnhandledException
#=qonMVJIv_P7bZ29oJ_eSSxA==
#=qChHxg92yH05lHO0u7UrDcPo$UK1nFXIjb2DI3pyR0FE=
TransformBlock
#=qRYSdRGBC6LM4UFJJGQnk7A==
f11Yo
v/,En\
C4vSd
IPEndPoint
RawAcl
#=qNzt$mJakh1Nxv4vDRDjTsa1OVDKMAlRCO__qncxMoXRz8jNE7AWvE0B4WIqANR1p
aC@5=
#=qFlfDskRbjMOXZPvSw2W2UA==
#=qK4wGebauvtmTKO0oAyLFzHLhr9rU3HNJmU_ur7Zop$YvLzV4HzmIQ45YslW_q1Vc
#=qP3lBpu0cs5q3Lf$qXSL7q6szA7E5M9NqMzkAFV6l4CI=
Close
#=qh7diH14jww3Fm9rMJ_jIfQ==
System.ComponentModel
#=qGS6wNk5u54YEpqtjtMFIpQ==
PADPADP
#=qHtuZg55b91a614FmHMsOMQ==
#=qp9IgcHwNxIVh4GZl4S2tcJtSz0NII67aXwFNDcdhP63JHe9MNg0kPsAos3IUd98k
get_TotalMilliseconds
get_LocalEndPoint
#=qhbsl5nSqHjmKK5u9FniHoA==
#=qM040QWzx1oySCgUyYWc9zA==
;6$)S>
<K}H0r
#=qUvO$SDWQpHm3uJq25yzwvw==
#=q0EPYqANhk$fGDlTztPFu2jRCdUruoFdUMwStI_GHseI=
I16QY
#=qnIGrpAn2e$qTqbA22$ONbQ==
OX5-n
#=qcyVktfYxc51I1XopnwGNjQ==
#=qRCCuvWFd9_O8CfEZhkJtSA==
#=q37jfceDpvm0BhKQMkpktNw==
#=qd3Itd1ELDPHJxhLvt0y1NQ==
#=q2Sd$5fx_doPt8h$UdBacAA==
oFu$!
#=qdsDfPo0zxdY$R7euM0a_vw==
#=q0uUZuMiILVbPeB$t7lx1a0Is1IW4CfkB9ovgW99kERQ=
JafPr
`<hNE
get_OSVersion
#=qQrBlfreeUYUGyN3hPOorGA==
N9Iknq
!This program cannot be run in DOS mode.
#=qChXzjuiVYrb8OlqJPajoUA==
ProtocolType
#=qnoPzE9XMA8S7X5JX6ycJ7w==
#=qOicuy1VnndMMXIrDqqx3EA==
#=qCeF2tfSXulrE0bbyPxU$1ik7Jf3avSO4FKBmKNH9QLg=
y{jA
ToInt32
#=qHJMw55fNEVIiKcc4ry0o7_L9hyz3vS4jgKl3KMX8xGg=
_Lambda$__6
RuntimeMethodHandle
Buffer
`5q}'pG
RuntimeCompatibilityAttribute
#=qPgHNba2TbLgSqrCvG0e5Uw==
#=qcDfNIFv7M2KbeeK2ufHf3w==
#=qxYJIjuXFTjRvt41we4akdH1WN2nLMpesVOXXsYuSrHM=
#=qtDC6IoLr5pnMo1d9qdAc2TBOnWqOdlEZHf8Itbl8cJc=
CompilationRelaxationsAttribute
#=qXIsqrB8Mw2TMQ5$s7oRSIQ==
#=qd7RJPnCy4YddvoQeTJhlwA==
#=qquFMi5Wa$w8aN9GGlN4H1Q==
#=qFZLDtLWdUONY4B_gU_jjJi4BgFANcRLPMuWuQINdRLc=
#=qVcF51voQmyGAgyAUz3313w==
#=q7$Vba9f7UkS7OwkHeUGtrn1ymWXBIMnyiJbrBxyOPBM=
feffeefefa
g=KP&
CreateInstance
#=qsUsGxFgC$BJaO_$VAtZ1Ug==
\^lE_
#=qsLIORBvLMZm5c5Lb9Cm$GQ==
,@Nrs8r
#=qZhds7a6Pui$KE4m8ht8xuA==
,g>m1<
#=qsUdW_kbiEct8_uosknsYUQ==
_Lambda$__9
#=qb8Z0_4AS4r8OSPknVYvDfA==
Monitor
#=qxO41EOA8VDczxcMMPD9Hv85pbiPnTbukmYyDI5Z6X8A=
#=qrYH2MBQ1J6Wu3hhoHHVW0JQwxTYC8hYBTLbQIYHNBds=
#=qWkPc$uBFgJrhuimjKXkFcw==
#=qs4p7qYamgHyRCYZsTKM03Q==
#=qXyCbQ53pEXrdqhJ6oXoHqg==
/.B!n
#=qo$DZvhC1PKdsChUToY52NA==
#=qGCYL9FviWCrv0prWZC8VfgL34V_6XyB$buFX2LkjbCg=
#=q5$hUSQAZNmEXcUcvGVFJrlqtw6IWJBy6C7LN$kOmTWU=
b`*&+
`%,h}
]H1e%
_R@5h.
UInt64
#=qUZMwlqlTBPLi1iscPEnOdMZqp5jDsQ1UK2Kgux$Yn40=
#=qxOFsoGbvlBlUujyS9g3fPQ==
#=q5WXECfTJPQIQ2JoJDGsf9pTFKCPzQGp3$QlyT_g_ZCY=
-2&~}
Stream
#=qNc0O1YGwS4NhcbB7sgpVgg==
#=qlt$K8Ex4tZEPwTl4RuqGMw==
ObjectFlowControl
bN;k0
DnsQuery_A
#=quRXaU$OHlRs_89kacdiUMQ==
#=qb_soGTESOxGbPyWr9RZjig==
#=qqLNJOrQl$9SirTNF5ZKaLA==
RuntimeTypeHandle
#=qZb1TYPPMMY64aTN2MpcGOQ==
DC[(H\C
#=q9x6KBL_arYpQC$zFf4pEFQ==
IPAddress
HashAlgorithm
#=qBuMzaVqxpYkDVtTnLpbYyjTfZNKm8_4JkuoFHPxOBFo=
System.Security.AccessControl
Z6-yS
#=q1BpeNGUQvsUFoXPmB6q50A==
SvO!$
RestoreProtection
#=qiY1B9yU2oVkPHxhn$y67SFTP8x1Jb0botGqdUGkdpQg=
Timer
#=qkxzumuLbzy2O2XsBlM3j$g==
#=qvQfNpqhSbw_$p1TB3UFgJA==
#=qDBRodZmvuO0qLafxHA9KMQ==
#=qrWXrfWfqyzD06oY$LsE9ww==
SendToServer
=1ZEm
#=qJEtGIBRUjtEusa67yMyqWQ==
#=qVvEn7vdm6JlvG9koG0JUIQ==
WindowsPrincipal
#=qqReemZdhHj1veATVZbU2_Q==
#=qWfwpJtKOXBFXf_1zpmLUrQ==
Collect
#=q5mGK9suCIiUDZgS_YSrSQg==
ReadUInt16
#=qcp_YDS3uDXZMDFWGeFYphA==
MulticastDelegate
#=qP5B75c4g32E_HsewCKc$Ig==
-*&{c
#=q4kB_KjL2oo8adT7lfnt6ew==
#=qPbvCT$UNIh_DPMt5F02Hyw==
#=qKtJTKEkNf2mJVHcZzSW8iQIcsBglzcJJOkX7V_uB55w=
#=q4o4zrrzr7uOw3pySDBOwZtAOdlhvudqcbIbhABkQfe4=
#=qenWi8guqQrvoGB55djo0ka_844yTmViBn5_Fr2X6HAceO7AJErk_Rh7nfkfqtUbq
LockResource
#=q5fG5Wo3pzujuJKotO2WwDQ==
get_BytesTransferred
GetProcessImageFileName
)L>$t
#=qQbsDS5g6rYgVt4AUW_pPJ8MQlCJBs7uyF9EY8OKREmQ=
#=qyYejfncvZCW4q4y4GEV7QqOL4Aox1NSDqQmcpM4TQVA=
|u.4By
#=q0f150kYsIx0s3raR3xq1xQ==
Utils
#=q6ARXRSe2PbSpq5u4_c1Rsw==
#=qpE_mRkS89WMXbQTdLD7bwp4pTt2zrWY_WBF1BLz1fes=
GetEntries
@kEpU6
#=qtussAh$DpHFmu7sm9TXJyZsrjeJ6Xm9c2y22v4wQG2s=
StackTrace
#=qc3tkHe_7v$eGA2x6krh72Q==
ClientSettingChanged
Registry
ProcessStartInfo
#=qXzCb60v8h3v0rPCrGf606Q==
#=qvvhgGCgMlZiK63M2bP1Kcg==
#=qpaOobmVTnUS0322VEUTQd53tn4HeMWSoV2XuTUOmp6U=
#=qCQ9vY8iVniiFr_C0wuoMFHQgjJIll0MjoDGXuPo1hYk=
#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q
HostDetails
#=qwWiTcboLi4zF4ycKWLBprqWhuc6ZDNNDjC8OE8DG1$c=
#=qFTBwGADWl13TibdOa5ODk_Y2qcfMGC4lp4rhrZcE84kZNE6dU4EqEk2ZYKuJAWo9
#=qK7tJUw5nsLE_rt2JHgqYI6_vH0s$mFFB1QifRuMCr34=
#=qKwlvi80KuDBelBsvucNuhRsqXRtqCfWqVH1dUPmd6_o=
#=qzI8efPARogp2CZcGB2UtfAz2tJs0A4fM9fKvuTKYqi8=
-!&o/
1cz[u
#=qphSRC1xHjYarc$NSFAVMID1iP8dwbr6BCaxyrkptDP0=
;6y\;;
#=qPYtEwg1BZk5tP9KKNl$36tqIdWilqjeWcpWKL2Zxnug=
q F%f"
#=qmTxGiMA05lTEtoPPV6RFOih4DYS0uxrxPO4vA1H2j6U=
#=qRNkKSXdFDcR_p8Jbzx9WJQ==
IClientUIHost
#=qGvpT_A2MS3Oi797y6jojBg==
#=q0xixHwSTS$a9x5dtNZccvebVLuO4euYOepae9m2S64s=
#=qSJci08l8EqyD9KF0joWzSA==
]"Q+a-Y6I
afeffefeeffe
y`sRE
#=qYKspnFhL3rrV8a6zSvXJWA==
#=qzAgp3UwWT0075L6Sh4PfZA==
'bpAb
ReadBlockData
AddMinutes
#=qDJ4yS7fCDfIiEVFkwyEE6G3$$73HwRgy2_eKZUkxaSo=
-"&~k
#=qhE2P2k46jiSSjO86g3nB1MkLGC9_3avDpI7iYbUHr5g=
#=q98hMbgVf4fBR3MKeaM4uQI$YRLQdIr1biYYF5369cW8=
#=q5bws5LlHvLK62TcSJadQTw==
3byRy
W{S2o
#=qP9qYgJs5_O2GP2pI$ho4ZSa8wQkwNQEBMg8VjNRrUWE=
#=qQkx1bBZns8hPde7$PcvfUl2fAairj6t_H8ve7nJO2s3BIB3t7PXd4ZR9h0JHyxrX
ToArray
#=q9LcncGbDdZaeonfU3943IQ==
#=qhufLjssUmkN_mXHuWOXl8gUDxidnVdWY$tHhp2HS0ic=
#=qJpz_ygP5AiHfhtTxRulSsw==
#=qtNbB44E34Ui_i5yJYQ5ntw==
#=q752iy7NeRDzz3UAYRlXXfQ==
get_MetadataToken
#=qAbQ42UrUbGpmkYA2zun7Tg==
#=qFY80y4KcMQywRNP$ttVIXw==
#=q2LHISsr6oVwPjyrC2AFTD2_CdAouK60pDkoTs0efRSU=
#R%W^
get_Item
UInt16
#=qN6ip4UNq3TKArPG3ZZy$zw==
4zSXe$
get_Now
#=qLEtx_37WeiIPQPYSN8vY0qTNiL_L6nA6vkFQwNlcU2Y=
FormWindowState
1i~WO
SQZE!
Delete
ClientUninstalling
<EoY_
:P:n>G
#=q6OqJPhANvYfkdc5uh_IKsUbLoI4zVFCxs4fpu7Vxr_U=
affefeeffe
#=q7uQjJN4fKJgs403tXnERFbQ1VWp3FBsMW_1ZAWZtc1g=
#=q_0gCRmXint4znUKVJR_bzg==
740kw
#=qBk9t7p9S5R095rOkFdE8GQ==
w;O,;)W
#=qT9sog7FujhNJZHxxUXVGPg==
#=qYhk_OkZkBWola80M6EUqow==
#=q74AbaKJhduohKQ4YDrC28g==
#=q2n0wwv9OpsrMrxVUVHoqGw==
#=qVxXNKnhAcArgJoGGYXiyyQ==
#=q8WaW5L3_NY3KPDRN6V9mCI08mHUZbTcARcexWvaAL6A=
String
Mqb $
#=qxe_BfLLMHqYa_KBeLsRfpw==
GetObjectValue
#=qWNtQAckY3EoQ$HeRpEQ9MEcj4oiFXpw6QZThgsGNZIA=
#=qscQJIcBkI9VH8bZTZtABeA==
#=qXULhMbqiur_al62NrjaiXWJ8rme0bKMO8KkV356NZwk=
<generated method>
#=qalo3zYdlWWh$dYSx9JnNrw==
ContainsKey
f9P{%
#=qKaOsg8ghd7KyYDCm3RhDg9KJrf7McwaH92TdOJzSw6s=
#=q60UcvJzzgao2Rv_stV3rQhhxCdm95L1Gb83mKGH1VxQ=
#=qHauijmh2nJ5kHO6fTYBnJFZKkfzkWt5gB4mYS5OLOVc=
#=q2c1dOwAlqEVK063i13$4Vg==
-0&sY
#=qcMb6hxBpdyTwCjvpzaQcC5dS3wbplPqOta7ERz_lMIo=
IEnumerable`1
#=qfLFZgbR_r0GETPSprP6O9w==
#=q3$9MQ9O56ldzMJGDeTdBZw==
ToInt64
#=qkgpjO3I2rdg6Il4nyqzgDw==
#=qSbcOBh8Kf7zb$IciDxPlGw==
4+xNLK6
aT<%u
#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=
#=qKU0J1fiP8KA33eFK1owekQ==
Gs#&f
Console
#=qsR25pLrAgwps$DwdB_BuUbMipiUFFEDkypROuvRRPj4=
#=qKi0KrAcAGUOMcS5S$2tJyg==
-!R,_y
#=q5grPwgEurSn6KutVLS5_oPClPR_aCEdSRk5nKP5bDm4=
B%n!0
#=q8VTskDJ5TyHJcDeWmklddw==
#=qbn24Ox5i732BM_T_R4Q3RtK1pEoSIYmxE9Rba9DDKEA=
SizeofResource
#=q2WFu5tRyicebO6UkQga8SbXrngw5YigfLTTVJqQy1qI=
BaseCommand
I29WQ
System.IO.Compression
#=qwSqLSPEuM8lJy4sOeuH92YjPodcLquqdG$OodozwC60=
Transmission
StackFrame
#=q8d8q1KZbTCKTAZreko1Lug==
#=qgW$Sn0ALOASuZcEZHxiZDaj3mNXTljqLa5onSc7M0U0=
get_Key
:@*I*
V`zy4
Intern
PipeCreated
-,&~C
#=q7b0FP8eSMCctHkHIxEb12w==
#=qG5YZbexfSlZk_cwFxKFh4HaY$Krp4rK2HdCH8OIs4EI=
LogClientMessage
/Had+4
#=qEqEPF0jj3sUIryvQNEKKCV9boaHFZuHXMROqSn28L3g=
#=q9iu_XWrg9WTOw3hVDQcP8ZcABJLoMYtAY0HfRbaBN24=
#=qdDrSQoelY6gHzRt_ma5NQg==
add_ThreadException
AssemblyProductAttribute
#=qwBDUI_NSPNLYbPH4gy$3uQ==
#=qsWAbPBa1yptbB97zoAjeSA==
get_Length
*YZSi
#=qc7QknLi4DrEENw9hVJyfaw==
VariableChanged
#=qN76bQl1CQ6EpIJzS4bbSnw==
#=qA32zcbPIWwOaURCE8zDGfw==
#=qqROT7DfncW7strhZvp0iRQ==
FileInfo
ConstructorInfo
T~4jn
#=qqnp3i0xG3gb2LwEmwQLB8NQerATuB2G0aH1k$$26lgk=
x\]DM
Change
get_BinaryLength
#=qbWN2780y2PKcyDt_4uktmA==
DialogResult
#=q6wR5WMLGkL9afTpqmWsw9g==
MessageBoxButtons
Activator
#=q48p8EJcbwRuSJ9efJfzTZ7uyOBVlFQpnFVv30w93EJA=
get_IsEnum
#=qrmavK4kbgFTgX3_IUlEoRw==
#=qoygY$KIlhsLDneTXkJ_L9A==
#=qhPbzHXREadcUSl6d6LhVYw==
#=qVCHxDTr$$bwFMb6i9vBKRZciaa69edA3gsLNOty0RAzCorWRBUh2v0PgySYBEvZ0
O?bY<N3
#=qgN8fDYnB$J$X9QGGYQsYuvA6BpDT4GE_ca7JiOh661Q=
ffeeffefeefa
#=q6NenfQbzQYLSZe2oYrhKsEGeaR69wF$W7VvfZPx7lyg=
#=qtRuLPG6CownVXpQS2Jma6EmxR$R$u15FKPRjOSzCUIw=
> |/
-*& r
#=q6k7flm9GMlPIija7ZH1xJg==
UnhandledExceptionEventArgs
=W~mJ
#=qbLBIoIXYNfJl3x9LHqBWNA==
#=q9RHjNFjnLkbqjNKidtUNeAGLmByWXgbKwjLfhcq9NOc=
List`1
AssemblyCopyrightAttribute
#=q0U3u45cUl83Kicjfx0RmVA==
#=q9T406SLBpfhYfDTkCrB28g==
#=qO0bmWYqIZnaB7Udo1OTvUuiP36Q9Z_7hz6URm1Yr1hM=
#=qibDx9sEkAVZroec7HmNu4g==
4System.Web.Services.Protocols.SoapHttpClientProtocol
#=q6V4Kle56uZFNUY$zkrrKJQ==
ToByteArray
ICryptoTransform
3u1,O
(2YGk
#=qzDzg9a$HVGG1G5cdhqbdwO3OG_SFijGXN8Towa37$TQ=
#=qd4_A7Y1qGQ8QAgHfK8_ssQ==
#=q3qYAJGveL_cxux6_2m4Vaw==
TryParse
#=qDB62T9X0iP_6WNTXOuwQnA==
PipeClosed
#=q8eJA0L4q0RMnuOJCvpFj3133vZRxVnxvHST9vysUWYQ=
Array
Microsoft.VisualBasic.ApplicationServices
#=qpQiSeXaCc6qGNX49vDbcMYyzv_UpV$YoUyrH0l6FW6Q=
PE Information
Image Base
0x00400000
Entry Point
0x0001e792
Min OS
4.0
Compile Time
2015-02-22 00:49:37
Import Hash
f34d5f2d4577ed6d9ceec516c1f5a744
| Name | RAW Addr | Virt Addr | Virt Size | Raw Size | Characteristics | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x00000200 | 0x00002000 | 0x0001c798 | 0x0001c800 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.60 |
| .reloc | 0x0001ca00 | 0x00020000 | 0x0000000c | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 0.10 |
| .rsrc | 0x0001cc00 | 0x00022000 | 0x00015fa8 | 0x00016000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 8.00 |
| Name | Offset | Size | Language | Entropy | Type |
|---|---|---|---|---|---|
| RT_RCDATA | 0x00022058 | 0x00015f50 | LANG_NEUTRAL | 8.00 | None |
| Address | Name |
|---|---|
| 0x402000 | _CorExeMain |
Processing 63.26s
- 25.519s NetworkAnalysis
- 21.601s Suricata
- 15.083s CAPE
- 0.983s BehaviorAnalysis
- 0.075s AnalysisInfo
- 0.002s Debug
Signatures 1.16s
- 0.271s antiav_detectreg
- 0.102s infostealer_ftp
- 0.093s territorial_disputes_sigs
- 0.06s infostealer_im
- 0.057s antianalysis_detectreg
- 0.038s ransomware_files
- 0.035s antiav_detectfile
- 0.035s masquerade_process_name
- 0.031s antivm_vbox_keys
- 0.024s infostealer_mail
- 0.021s antivm_vmware_keys
- 0.02s infostealer_bitcoin
- 0.019s antianalysis_detectfile
- 0.019s network_dns_url_shortener
- 0.018s ransomware_extensions_known
- 0.016s antivm_parallels_keys
- 0.015s antivm_xen_keys
- 0.015s suspicious_tld
- 0.014s antivm_vbox_files
- 0.012s antivm_generic_diskreg
- 0.011s antivm_vpc_keys
- 0.01s geodo_banking_trojan
- 0.009s poullight_files
- 0.009s uses_windows_utilities
- 0.008s network_dyndns
- 0.008s suspicious_command_tools
- 0.007s qulab_files
- 0.006s antidebug_devices
- 0.005s network_cnc_http
- 0.005s antivm_bochs_keys
- 0.005s antivm_hyperv_keys
- 0.005s antivm_vmware_files
- 0.005s ketrican_regkeys
- 0.005s bypass_firewall
- 0.004s darkcomet_regkeys
- 0.004s limerat_regkeys
- 0.004s recon_fingerprint
- 0.004s sniffer_winpcap
- 0.003s network_torgateway
- 0.003s antivm_generic_bios
- 0.003s antivm_vbox_devices
- 0.003s echelon_files
- 0.003s rat_pcclient
- 0.003s warzonerat_regkeys
- 0.003s remcos_regkeys
- 0.003s language_check_registry
- 0.002s network_http
- 0.002s network_open_proxy
- 0.002s accesses_sysvol
- 0.002s antiemu_windefend
- 0.002s browser_security
- 0.002s checks_uac_status
- 0.002s file_credential_store_access
- 0.002s registry_credential_store_access
- 0.002s disables_backups
- 0.002s disables_browser_warn
- 0.002s disables_power_options
- 0.002s azorult_mutexes
- 0.002s network_dns_opennic
- 0.002s network_dns_paste_site
- 0.002s network_dns_temp_file_storage
- 0.002s medusalocker_regkeys
- 0.002s revil_mutexes
- 0.002s modirat_behavior
- 0.002s obliquerat_files
- 0.002s warzonerat_files
- 0.002s reads_password_database
- 0.002s targeted_flame
- 0.002s ursnif_behavior
- 0.001s bot_drive
- 0.001s bot_drive2
- 0.001s network_ip_exe
- 0.001s recon_checkip
- 0.001s accesses_mailslot
- 0.001s accesses_netlogon_regkey
- 0.001s accesses_public_folder
- 0.001s writes_sysvol
- 0.001s antisandbox_cuckoo_files
- 0.001s antisandbox_fortinet_files
- 0.001s antisandbox_joe_anubis_files
- 0.001s antisandbox_sunbelt_files
- 0.001s antisandbox_threattrack_files
- 0.001s antivm_vmware_mutexes
- 0.001s antivm_vpc_files
- 0.001s banker_cridex
- 0.001s banker_spyeye_mutexes
- 0.001s banker_zeus_mutex
- 0.001s bitcoin_opencl
- 0.001s browser_addon
- 0.001s uac_bypass_cmstpcom
- 0.001s clears_logs
- 0.001s file_credential_store_write
- 0.001s registry_lsa_secrets_access
- 0.001s disables_smartscreen
- 0.001s disables_startmenu_search
- 0.001s disables_system_restore
- 0.001s disables_windows_defender
- 0.001s disables_windows_defender_logging
- 0.001s removes_windows_defender_contextmenu
- 0.001s discover_registry_mount_points
- 0.001s driver_filtermanager
- 0.001s apocalypse_stealer_file_behavior
- 0.001s arkei_files
- 0.001s cryptbot_files
- 0.001s modify_oem_information
- 0.001s modify_security_center_warnings
- 0.001s modify_uac_prompt
- 0.001s network_dns_blockchain
- 0.001s network_dns_doh_tls
- 0.001s network_tor_service
- 0.001s accesses_office_username
- 0.001s packer_armadillo_regkey
- 0.001s persistence_rdp_registry
- 0.001s persistence_shim_database
- 0.001s ransomware_extensions_generic
- 0.001s nemty_regkeys
- 0.001s ransomware_radamant
- 0.001s satan_mutexes
- 0.001s crat_mutexes
- 0.001s dcrat_files
- 0.001s rat_spynet
- 0.001s xpertrat_mutexes
- 0.001s remcos_files
- 0.001s removes_pinned_programs
- 0.001s removes_startmenu_defaults
- 0.001s spicyhotpot_behavior
- 0.001s spreading_autoruninf
- 0.001s stealth_hiddenreg
- 0.001s stealth_webhistory
- 0.001s tampers_etw
- 0.001s lokibot_mutexes
- 0.001s allaple_mutexes
Reporting 0.03s
- 0.031s JsonDump
Signatures
Attempts to connect to a dead IP:Port (2 unique times)
IP: 104.21.33.27:443 (unknown)
IP: 172.67.140.186:443 (unknown)
Checks system language via registry key (possible geofencing)
regkey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\ru-RU
regkey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\ru-RU
A process attempted to delay the analysis task.
note: sex1.exe tried to sleep 271.67 seconds, actually delayed analysis time by 0.0 seconds
Reads data out of its own binary image
self_read: process: sex1.exe, pid: 6648, offset: 0x3030785c3030785c, length: 0x00001000
self_read: process: sex1.exe, pid: 6648, offset: 0x3030785c3038785c, length: 0x00000200
Terminates another process
process: svchost.exe
process: svchost.exe
Performs some HTTP requests
url: http://i.pki.goog/gsr1.crt
url: http://i.pki.goog/r4.crt
url: http://i.pki.goog/we2.crt
url: http://i.pki.goog/gsr4.crt
The binary likely contains encrypted or compressed data
section: {'name': '.rsrc', 'raw_address': '0x0001cc00', 'virtual_address': '0x00022000', 'virtual_size': '0x00015fa8', 'size_of_data': '0x00016000', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x40000040', 'entropy': '8.00'}
Uses Windows utilities to create a scheduled task
command: "schtasks.exe" /create /f /tn "WAN Manager" /xml "C:\Users\cape\AppData\Local\Temp\tmp16B1.tmp"
command: "schtasks.exe" /create /f /tn "WAN Manager Task" /xml "C:\Users\cape\AppData\Local\Temp\tmp2CBA.tmp"
Installs itself for autorun at Windows startup
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WAN Manager
data: C:\Program Files (x86)\WAN Manager\wanmgr.exe
Binary file triggered multiple YARA rules
Binary triggered YARA rule: DITEKSHEN_MALWARE_Win_Nanocore
Binary triggered YARA rule: Windows_Trojan_Nanocore_d8c4e3c5
Binary triggered YARA rule: Nanocore
Binary triggered YARA rule: Nanocore_RAT_Gen_2
Binary triggered YARA rule: NanoCore
Binary triggered YARA rule: NETexecutableMicrosoft
Binary triggered YARA rule: IsPE32
Binary triggered YARA rule: IsNET_EXE
Binary triggered YARA rule: IsWindowsGUI
Binary triggered YARA rule: IsPacked
Binary triggered YARA rule: Microsoft_Visual_Studio_NET
Binary triggered YARA rule: Microsoft_Visual_C_v70_Basic_NET_additional
Binary triggered YARA rule: Microsoft_Visual_C_Basic_NET
Binary triggered YARA rule: Microsoft_Visual_Studio_NET_additional
Binary triggered YARA rule: Microsoft_Visual_C_v70_Basic_NET
Binary triggered YARA rule: NET_executable_
Binary triggered YARA rule: NET_executable
Yara detections observed in process dumps, payloads or dropped files
Hit: PID 6648 triggered the Yara rule 'IsPE32' with data '[]'
Hit: PID 6648 triggered the Yara rule 'IsWindowsGUI' with data '[]'
Hit: PID 6648 triggered the Yara rule 'IsPacked' with data '[]'
Hit: PID 6648 triggered the Yara rule 'DITEKSHEN_MALWARE_Win_Nanocore' with data '['NanoCore.ClientPlugin', 'NanoCore.ClientPluginHost', 'IClientApp', 'IClientData', 'IClientNetwork', 'IClientAppHost', 'IClientDataHost', 'IClientLoggingHost', 'IClientNetworkHost', 'IClientUIHost', 'IClientNameObjectCollection', 'IClientReadOnlyNameObjectCollection', 'ClientPlugin', 'get_ClientSettings', 'get_Connected']'
Hit: PID 6648 triggered the Yara rule 'Windows_Trojan_Nanocore_d8c4e3c5' with data '['NanoCore.ClientPluginHost', 'NanoCore.ClientPlugin', 'get_BuilderSettings', 'IClientAppHost', 'AddHostEntry', 'LogClientException', 'PipeExists', 'IClientLoggingHost']'
Hit: PID 6648 triggered the Yara rule 'Nanocore_RAT_Gen_2' with data '['NanoCore.ClientPluginHost', 'IClientNetworkHost']'
Hit: PID 6648 triggered the Yara rule 'NETDLLMicrosoft' with data '['{ 00 00 00 00 00 00 00 00 5F 43 6F 72 44 6C 6C 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C 00 00 00 00 00 FF 25 }']'
Hit: PID 6648 triggered the Yara rule 'IsPE32' with data '[]'
Hit: PID 6648 triggered the Yara rule 'IsNET_DLL' with data '[]'
Hit: PID 6648 triggered the Yara rule 'IsDLL' with data '[]'
Hit: PID 6648 triggered the Yara rule 'IsWindowsGUI' with data '[]'
Hit: PID 6648 triggered the Yara rule 'Microsoft_Visual_Studio_NET' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'
Hit: PID 6648 triggered the Yara rule 'Microsoft_Visual_C_v70_Basic_NET_additional' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'
Hit: PID 6648 triggered the Yara rule 'Microsoft_Visual_C_Basic_NET' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'
Hit: PID 6648 triggered the Yara rule 'Microsoft_Visual_Studio_NET_additional' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'
Hit: PID 6648 triggered the Yara rule 'Microsoft_Visual_C_v70_Basic_NET' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'
Hit: PID 6648 triggered the Yara rule 'NET_executable_' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'
Hit: PID 6648 triggered the Yara rule 'NET_executable' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'
Hit: PID 6648 triggered the Yara rule 'NETDLLMicrosoft' with data '['{ 00 00 00 00 00 00 00 00 5F 43 6F 72 44 6C 6C 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C 00 00 00 00 00 FF 25 }']'
Hit: PID 6648 triggered the Yara rule 'IsPE32' with data '[]'
Hit: PID 6648 triggered the Yara rule 'IsNET_DLL' with data '[]'
Hit: PID 6648 triggered the Yara rule 'IsDLL' with data '[]'
Hit: PID 6648 triggered the Yara rule 'IsConsole' with data '[]'
Hit: PID 6648 triggered the Yara rule 'Microsoft_Visual_Studio_NET' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'
Hit: PID 6648 triggered the Yara rule 'Microsoft_Visual_C_v70_Basic_NET_additional' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'
Hit: PID 6648 triggered the Yara rule 'Microsoft_Visual_C_Basic_NET' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'
Hit: PID 6648 triggered the Yara rule 'Microsoft_Visual_Studio_NET_additional' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'
Hit: PID 6648 triggered the Yara rule 'Microsoft_Visual_C_v70_Basic_NET' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'
Hit: PID 6648 triggered the Yara rule 'NET_executable_' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'
Hit: PID 6648 triggered the Yara rule 'NET_executable' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'
Hit: PID 6648 triggered the Yara rule 'DITEKSHEN_MALWARE_Win_Nanocore' with data '['NanoCore.ClientPlugin', 'NanoCore.ClientPluginHost', 'IClientData', 'IClientNetwork', 'IClientDataHost', 'IClientLoggingHost', 'IClientNetworkHost', 'IClientUIHost', 'IClientNameObjectCollection', 'IClientReadOnlyNameObjectCollection', 'ClientPlugin', 'get_ClientSettings']'
Hit: PID 6648 triggered the Yara rule 'Windows_Trojan_Nanocore_d8c4e3c5' with data '['NanoCore.ClientPluginHost', 'NanoCore.ClientPlugin', 'get_BuilderSettings', 'LogClientException', 'IClientLoggingHost']'
Hit: PID 6648 triggered the Yara rule 'Nanocore_RAT_Gen_2' with data '['NanoCore.ClientPluginHost', 'IClientNetworkHost']'
Hit: PID 6648 triggered the Yara rule 'NETDLLMicrosoft' with data '['{ 00 00 00 00 00 00 00 00 5F 43 6F 72 44 6C 6C 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C 00 00 00 00 00 FF 25 }']'
Hit: PID 6648 triggered the Yara rule 'IsPE32' with data '[]'
Hit: PID 6648 triggered the Yara rule 'IsNET_DLL' with data '[]'
Hit: PID 6648 triggered the Yara rule 'IsDLL' with data '[]'
Hit: PID 6648 triggered the Yara rule 'IsConsole' with data '[]'
Deletes executed files from disk
file: C:\Users\cape\AppData\Local\Temp\tmp16B1.tmp
file: C:\Users\cape\AppData\Local\Temp\tmp2CBA.tmp
Collects information to fingerprint the system
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Attempts to remove evidence of file being downloaded from the Internet
file: C:\Users\cape\AppData\Local\Temp\sex1.exe:Zone.Identifier
Screenshots
Hosts
| Direct | IP | Country Name | ASN |
|---|---|---|---|
| N | 172.67.140.186 [VT] | unknown | |
| N | 104.21.33.27 [VT] | unknown | |
| Y | 46.149.110.67 [VT] | unknown | |
| Y | 72.154.7.16 [VT] | unknown | |
| Y | 72.154.7.108 [VT] | unknown | |
| Y | 72.154.7.100 [VT] | unknown | |
| Y | 72.154.7.105 [VT] | unknown | |
| Y | 72.154.7.102 [VT] | unknown | |
| Y | 72.154.7.98 [VT] | unknown | |
| Y | 72.154.7.101 [VT] | unknown | |
| Y | 72.154.7.107 [VT] | unknown | |
| Y | 72.154.7.109 [VT] | unknown | |
| Y | 13.107.6.156 [VT] | unknown | |
| Y | 84.47.178.41 [VT] | unknown | |
| Y | 20.165.94.54 [VT] | unknown | |
| Y | 150.171.27.11 [VT] | unknown | |
| N | 209.85.233.94 [VT] | unknown | |
| Y | 84.47.178.49 [VT] | unknown | |
| Y | 40.126.53.14 [VT] | unknown | |
| Y | 52.123.242.97 [VT] | unknown | |
| Y | 20.42.65.93 [VT] | unknown | |
| Y | 4.207.247.139 [VT] | unknown | |
| Y | 84.47.178.56 [VT] | unknown |
Summary
- C:\Windows\System32\MSCOREE.DLL.local
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
- C:\Windows\Microsoft.NET\Framework\*
- C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
- C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
- C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
- C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
- C:\Users\cape\AppData\Local\Temp\sex1.exe.config
- C:\Users\cape\AppData\Local\Temp\sex1.exe
- C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\msvcr80.dll
- C:\Windows
- C:\Windows\WinSxS
- C:\Windows\Microsoft.NET\Framework\v4.0.30319
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\fusion.localgac
- C:\Users\cape\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\sex1.exe.log
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
- C:\Windows\System32\windows.storage.dll
- C:\Users\cape\AppData\Local\Temp\Wldp.dll
- C:\Windows\System32\wldp.dll
- C:\Users\cape\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
- C:\Users\cape\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
- C:\Windows\assembly\NativeImages_v2.0.50727_32\indexc.dat
- C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI
- C:\Users
- C:\Users\cape
- C:\Users\cape\AppData
- C:\Users\cape\AppData\Local
- C:\Users\cape\AppData\Local\Temp
- C:\Windows\System32\bcryptPrimitives.dll
- \Device\CNG
- C:\Windows\System32\l_intl.nls
- C:\Users\cape\AppData\Local\Temp\sex1.INI
- C:\Windows\assembly\pubpol5.dat
- C:\Windows\assembly\GAC\PublisherPolicy.tme
- C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.INI
- C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.INI
- C:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.INI
- C:\Windows\assembly\GAC_32\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a
- C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a
- C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.INI
- C:\Windows\Globalization\ru-ru.nlp
- C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- C:\Windows\System32\msctf.dll
- C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\Windows\System32\ru-RU\USER32.dll.mui
- C:\Users\cape\AppData\Local\Temp\CRYPTSP.dll
- C:\Windows\System32\cryptsp.dll
- C:\Users\cape\AppData\Roaming\F3037635-6191-4C44-BD96-905F1B4FEAFD
- C:\Users\cape\AppData\Roaming
- C:\Users\cape\AppData\Roaming\F3037635-6191-4C44-BD96-905F1B4FEAFD\run.dat
- C:\Users\cape\AppData\Roaming\F3037635-6191-4C44-BD96-905F1B4FEAFD\Exceptions\1.2.2.0
- C:\Program Files (x86)\WAN Manager
- C:\Program Files (x86)
- C:\Program Files (x86)\WAN Manager\wanmgr.exe
- C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
- C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
- C:\Users\cape\AppData\Roaming\F3037635-6191-4C44-BD96-905F1B4FEAFD\WAN Manager\wanmgr.exe
- C:\Windows\Globalization\en-us.nlp
- C:\Windows\assembly\GAC_32\mscorlib.resources\2.0.0.0_ru-RU_b77a5c561934e089
- C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_ru-RU_b77a5c561934e089
- C:\Windows\assembly\GAC\mscorlib.resources\2.0.0.0_ru-RU_b77a5c561934e089
- C:\Users\cape\AppData\Local\Temp\ru-RU\mscorlib.resources.dll
- C:\Users\cape\AppData\Local\Temp\ru-RU\mscorlib.resources\mscorlib.resources.dll
- C:\Users\cape\AppData\Local\Temp\ru-RU\mscorlib.resources.exe
- C:\Users\cape\AppData\Local\Temp\ru-RU\mscorlib.resources\mscorlib.resources.exe
- C:\Windows\Globalization\ru.nlp
- C:\Windows\assembly\GAC_32\mscorlib.resources\2.0.0.0_ru_b77a5c561934e089
- C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_ru_b77a5c561934e089
- C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_ru_b77a5c561934e089\mscorlib.resources.dll
- C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_ru_b77a5c561934e089\mscorlib.resources.INI
- C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
- C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb
- C:\Windows\symbols\dll\mscorlib.pdb
- C:\Windows\dll\mscorlib.pdb
- C:\Windows\mscorlib.pdb
- C:\Users\cape\AppData\Local\Temp\sex1.PDB
- C:\Users\cape\AppData\Local\Temp\tmp16B1.tmp
- C:\Users\cape\AppData\Roaming\F3037635-6191-4C44-BD96-905F1B4FEAFD\task.dat
- C:\Users\cape\AppData\Local\Temp\tmp2CBA.tmp
- C:\Users\cape\AppData\Local\Temp\sex1.exe:Zone.Identifier
- C:\Users\cape\AppData\Roaming\F3037635-6191-4C44-BD96-905F1B4FEAFD\catalog.dat
- C:\Users\cape\AppData\Roaming\F3037635-6191-4C44-BD96-905F1B4FEAFD\storage.dat
- C:\Users\cape\AppData\Local\Temp\ClientPlugin.dll
- C:\Users\cape\AppData\Local\Temp\ClientPlugin\ClientPlugin.dll
- C:\Users\cape\AppData\Local\Temp\ClientPlugin.exe
- C:\Users\cape\AppData\Local\Temp\ClientPlugin\ClientPlugin.exe
- C:\Users\cape\AppData\Roaming\F3037635-6191-4C44-BD96-905F1B4FEAFD\settings.bin
- C:\Users\cape\AppData\Roaming\F3037635-6191-4C44-BD96-905F1B4FEAFD\settings.bak
- C:\Windows\System32\tzres.dll
- C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\Windows\System32\ru-RU\tzres.dll.mui
- C:\Windows\System32\ru-RU\tzres.dll.mui
- C:\Windows\sysnative\ru-RU\tzres.dll.mui
- C:\Users\cape\AppData\Roaming\F3037635-6191-4C44-BD96-905F1B4FEAFD\Logs\cape
- C:\Users\cape\AppData\Roaming\F3037635-6191-4C44-BD96-905F1B4FEAFD\Logs
- C:\Users\cape\AppData\Local\Temp\Lzma#.dll
- C:\Users\cape\AppData\Local\Temp\Lzma#\Lzma#.dll
- C:\Users\cape\AppData\Local\Temp\Lzma#.exe
- C:\Users\cape\AppData\Local\Temp\Lzma#\Lzma#.exe
- C:\Users\cape\AppData\Local\Temp\ru-RU\SurveillanceExClientPlugin.resources.dll
- C:\Users\cape\AppData\Local\Temp\ru-RU\SurveillanceExClientPlugin.resources\SurveillanceExClientPlugin.resources.dll
- C:\Users\cape\AppData\Local\Temp\ru-RU\SurveillanceExClientPlugin.resources.exe
- C:\Users\cape\AppData\Local\Temp\ru-RU\SurveillanceExClientPlugin.resources\SurveillanceExClientPlugin.resources.exe
- C:\Users\cape\AppData\Local\Temp\ru\SurveillanceExClientPlugin.resources.dll
- C:\Users\cape\AppData\Local\Temp\ru\SurveillanceExClientPlugin.resources\SurveillanceExClientPlugin.resources.dll
- C:\Users\cape\AppData\Local\Temp\ru\SurveillanceExClientPlugin.resources.exe
- C:\Users\cape\AppData\Local\Temp\ru\SurveillanceExClientPlugin.resources\SurveillanceExClientPlugin.resources.exe
- C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
- C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.INI
- C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.INI
- C:\Windows\SysWOW64\schtasks.exe
- C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\Windows\System32\ru-RU\schtasks.exe.mui
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Windows\System32\kernel.appcore.dll
- C:\Windows\Tasks\WAN Manager.job
- C:\Windows\System32\Tasks\WAN Manager
- \??\MountPointManager
- C:\Windows\System32\Tasks\
- C:\Windows\Tasks\WAN Manager Task.job
- C:\Windows\System32\Tasks\WAN Manager Task
- C:\Windows\System32\sppc.dll
- C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\Windows\System32\ru-RU\sppc.dll.mui
- C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask
- C:\Users\cape\AppData\Local\Temp\sex1.exe
- C:\Users\cape\AppData\Roaming\F3037635-6191-4C44-BD96-905F1B4FEAFD\run.dat
- C:\Program Files (x86)\WAN Manager\wanmgr.exe
- C:\Users\cape\AppData\Local\Temp\tmp16B1.tmp
- C:\Users\cape\AppData\Roaming\F3037635-6191-4C44-BD96-905F1B4FEAFD\task.dat
- C:\Users\cape\AppData\Local\Temp\tmp2CBA.tmp
- C:\Windows\System32\Tasks\WAN Manager
- C:\Windows\System32\Tasks\WAN Manager Task
- C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask
- C:\Program Files (x86)\WAN Manager\wanmgr.exe
- C:\Users\cape\AppData\Roaming\F3037635-6191-4C44-BD96-905F1B4FEAFD\WAN Manager\wanmgr.exe
- C:\Users\cape\AppData\Local\Temp\tmp16B1.tmp
- C:\Users\cape\AppData\Local\Temp\tmp2CBA.tmp
- C:\Users\cape\AppData\Local\Temp\sex1.exe:Zone.Identifier
- C:\Windows\Tasks\WAN Manager.job
- C:\Windows\Tasks\WAN Manager Task.job
- HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\policy\v4.0
- HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\InstallRoot
- HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
- Policy\Standards
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Policy\Standards
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\policy\standards\v2.0.50727
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Fusion\NoClientChecks
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\GCStressStart
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\GCStressStartAtJit
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\DisableConfigCache
- HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\AppPatch
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\policy\AppPatch\v4.0.30319.00000
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\policy\AppPatch\v4.0.30319.00000\mscorwks.dll
- HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sex1.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
- HKEY_CURRENT_USER\Software\Microsoft\Fusion
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
- HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v2.0
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\NGen\Policy\v2.0\OptimizeUsedBinaries
- HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3749840076-4109591986-3192690632-1000
- HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy
- HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\indexc
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\indexc\NIUsageMask
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\indexc\ILUsageMask
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1\DisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1\ConfigMask
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1\ConfigString
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1\MVID
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1\EvalationData
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1\Status
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1\ILDependencies
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1\NIDependencies
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1\MissingDependencies
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\cb87bba\1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\cb87bba\1\DisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\cb87bba\1\Status
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\cb87bba\1\Modules
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\cb87bba\1\SIG
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\cb87bba\1\LastModTime
- HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
- HKEY_CURRENT_USER
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5aa75839\10fdf3
- HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
- HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Windows.Forms__b77a5c561934e089
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e\DisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e\ConfigMask
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e\ConfigString
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e\MVID
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e\EvalationData
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e\Status
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e\ILDependencies
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e\NIDependencies
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e\MissingDependencies
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\1910f9b6\2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\1910f9b6\2\DisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\1910f9b6\2\Status
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\1910f9b6\2\Modules
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\1910f9b6\2\SIG
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\1910f9b6\2\LastModTime
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\2ea32674\7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\2ea32674\7\DisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\2ea32674\7\Status
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\2ea32674\7\Modules
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\2ea32674\7\SIG
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\2ea32674\7\LastModTime
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\25f1f8b7\3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\25f1f8b7\3\DisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\25f1f8b7\3\Status
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\25f1f8b7\3\Modules
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\25f1f8b7\3\SIG
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\25f1f8b7\3\LastModTime
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\cc504d5\6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\cc504d5\6\DisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\cc504d5\6\Status
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\cc504d5\6\Modules
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\cc504d5\6\SIG
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\cc504d5\6\LastModTime
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7a57f554\1d
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7a57f554\1d\DisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7a57f554\1d\Status
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7a57f554\1d\Modules
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7a57f554\1d\SIG
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7a57f554\1d\LastModTime
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\620ba200\e
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\620ba200\e\DisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\620ba200\e\Status
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\620ba200\e\Modules
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\620ba200\e\SIG
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\620ba200\e\LastModTime
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\7febb058\1e
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\7febb058\1e\DisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\7febb058\1e\Status
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\7febb058\1e\Modules
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\7febb058\1e\SIG
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\7febb058\1e\LastModTime
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\DisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\ConfigMask
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\ConfigString
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\MVID
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\EvalationData
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\Status
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\ILDependencies
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\NIDependencies
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\MissingDependencies
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\47b2ade6\8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\47b2ade6\8\DisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\47b2ade6\8\Status
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\47b2ade6\8\Modules
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\47b2ade6\8\SIG
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\47b2ade6\8\LastModTime
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f\DisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f\ConfigMask
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f\ConfigString
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f\MVID
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f\EvalationData
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f\Status
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f\ILDependencies
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f\NIDependencies
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f\MissingDependencies
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\24949616\10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\24949616\10\DisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\24949616\10\Status
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\24949616\10\Modules
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\24949616\10\SIG
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\24949616\10\LastModTime
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Drawing__b03f5f7f11d50a3a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System__b77a5c561934e089
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Xml__b77a5c561934e089
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration__b03f5f7f11d50a3a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Deployment__b03f5f7f11d50a3a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.Accessibility__b03f5f7f11d50a3a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Security__b03f5f7f11d50a3a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.8.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\DbgManagedDebugger
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StateSeparation\RedirectionMap\Keys
- HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\ru-RU
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\LanguageOverlay\OverlayPackages\ru-RU\Latest
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
- HKEY_CURRENT_USER\Control Panel\International
- HKEY_CURRENT_USER\Control Panel\International\sYearMonth
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WAN Manager
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WAN Manager
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.mscorlib.resources_ru-RU_b77a5c561934e089
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5e8c75c\de7da15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3749840076-4109591986-3192690632-1000\Installer\Assemblies\C:|Users|cape|AppData|Local|Temp|sex1.exe
- HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|cape|AppData|Local|Temp|sex1.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|cape|AppData|Local|Temp|sex1.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3749840076-4109591986-3192690632-1000\Installer\Assemblies\Global
- HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.mscorlib.resources_ru_b77a5c561934e089
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5e8c75c\2f231edf
- HKEY_CLASSES_ROOT\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32\(Default)
- HKEY_CLASSES_ROOT\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\AlwaysReadHKCRForCLSIDs
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server
- HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Ole\FeatureDevelopmentProperties
- HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Ole
- HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft
- HKEY_CURRENT_USER\Software\Classes\Local Settings
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
- HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel
- HKEY_CURRENT_USER\Software\Classes
- HKEY_CURRENT_USER\Software\Classes\AppID\sex1.exe
- HKEY_LOCAL_MACHINE\Software\Classes\AppID\sex1.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
- HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
- HKEY_LOCAL_MACHINE\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
- HKEY_CURRENT_USER\Software\Classes\WOW6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
- HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\4ecde57e\31d9ddbb
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\a054161\46043f61
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\219e9581\3b405a35
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\219e9581\26de983b
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\InstallationType
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\159a66b8\424bd4d8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7\DisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7\ConfigMask
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7\ConfigString
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7\MVID
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7\EvalationData
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7\Status
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7\ILDependencies
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7\NIDependencies
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7\MissingDependencies
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\11593b27\5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\11593b27\5\DisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\11593b27\5\Status
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\11593b27\5\Modules
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\11593b27\5\SIG
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\11593b27\5\LastModTime
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Data.SqlXml__b77a5c561934e089
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET CLR Networking\Performance\Library
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET CLR Networking\Performance\IsMultiInstance
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET CLR Networking\Performance\First Counter
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET CLR Networking\Performance\CategoryOptions
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET CLR Networking\Performance\FileMappingSize
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET CLR Networking\Performance\Counter Names
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000603xx
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Sorting\Ids
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\ru-RU
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\ru-RU
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\ru-RU
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\ru
- HKEY_CURRENT_USER\Software\Classes\AppID\schtasks.exe
- HKEY_LOCAL_MACHINE\Software\Classes\AppID\schtasks.exe
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\InstallRoot
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Fusion\NoClientChecks
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\GCStressStart
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\GCStressStartAtJit
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\DisableConfigCache
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\NGen\Policy\v2.0\OptimizeUsedBinaries
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\indexc\NIUsageMask
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\indexc\ILUsageMask
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1\DisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1\ConfigMask
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1\ConfigString
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1\MVID
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1\EvalationData
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1\Status
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1\ILDependencies
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1\NIDependencies
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\1\MissingDependencies
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\cb87bba\1\DisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\cb87bba\1\Status
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\cb87bba\1\Modules
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\cb87bba\1\SIG
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\cb87bba\1\LastModTime
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e\DisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e\ConfigMask
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e\ConfigString
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e\MVID
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e\EvalationData
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e\Status
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e\ILDependencies
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e\NIDependencies
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\e\MissingDependencies
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\1910f9b6\2\DisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\1910f9b6\2\Status
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\1910f9b6\2\Modules
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\1910f9b6\2\SIG
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\1910f9b6\2\LastModTime
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\2ea32674\7\DisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\2ea32674\7\Status
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\2ea32674\7\Modules
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\2ea32674\7\SIG
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\2ea32674\7\LastModTime
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\25f1f8b7\3\DisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\25f1f8b7\3\Status
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\25f1f8b7\3\Modules
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\25f1f8b7\3\SIG
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\25f1f8b7\3\LastModTime
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\cc504d5\6\DisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\cc504d5\6\Status
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\cc504d5\6\Modules
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\cc504d5\6\SIG
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\cc504d5\6\LastModTime
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7a57f554\1d\DisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7a57f554\1d\Status
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7a57f554\1d\Modules
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7a57f554\1d\SIG
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7a57f554\1d\LastModTime
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\620ba200\e\DisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\620ba200\e\Status
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\620ba200\e\Modules
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\620ba200\e\SIG
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\620ba200\e\LastModTime
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\7febb058\1e\DisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\7febb058\1e\Status
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\7febb058\1e\Modules
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\7febb058\1e\SIG
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\7febb058\1e\LastModTime
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\DisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\ConfigMask
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\ConfigString
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\MVID
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\EvalationData
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\Status
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\ILDependencies
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\NIDependencies
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\MissingDependencies
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\47b2ade6\8\DisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\47b2ade6\8\Status
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\47b2ade6\8\Modules
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\47b2ade6\8\SIG
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\47b2ade6\8\LastModTime
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f\DisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f\ConfigMask
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f\ConfigString
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f\MVID
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f\EvalationData
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f\Status
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f\ILDependencies
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f\NIDependencies
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\f\MissingDependencies
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\24949616\10\DisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\24949616\10\Status
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\24949616\10\Modules
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\24949616\10\SIG
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\24949616\10\LastModTime
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\DbgManagedDebugger
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\LanguageOverlay\OverlayPackages\ru-RU\Latest
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
- HKEY_CURRENT_USER\Control Panel\International\sYearMonth
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WAN Manager
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WAN Manager
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\AlwaysReadHKCRForCLSIDs
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\InstallationType
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7\DisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7\ConfigMask
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7\ConfigString
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7\MVID
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7\EvalationData
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7\Status
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7\ILDependencies
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7\NIDependencies
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\7\MissingDependencies
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\11593b27\5\DisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\11593b27\5\Status
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\11593b27\5\Modules
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\11593b27\5\SIG
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\11593b27\5\LastModTime
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET CLR Networking\Performance\Library
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET CLR Networking\Performance\IsMultiInstance
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET CLR Networking\Performance\First Counter
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET CLR Networking\Performance\CategoryOptions
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET CLR Networking\Performance\FileMappingSize
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET CLR Networking\Performance\Counter Names
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000603xx
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\ru-RU
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\ru-RU
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\ru-RU
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\ru
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WAN Manager
- "schtasks.exe" /create /f /tn "WAN Manager" /xml "C:\Users\cape\AppData\Local\Temp\tmp16B1.tmp"
- "schtasks.exe" /create /f /tn "WAN Manager Task" /xml "C:\Users\cape\AppData\Local\Temp\tmp2CBA.tmp"
- Local\SM0:6648:168:WilStaging_02
- Global\CLR_CASOFF_MUTEX
- Global\{b99f832a-30b2-4929-80df-5af09cffdbc2}
- Global\.net clr networking
No results found.
No behavioral analysis data available.
Sorry! No strace.
Sorry! No tracee.
Hosts
No hosts contacted.
TCP Connections
No TCP connections recorded.
UDP Connections
No UDP connections recorded.
DNS Requests
No domains contacted.
HTTP Requests
No HTTP(s) requests performed.
SMTP Traffic
No SMTP traffic performed.
IRC Traffic
No IRC requests performed.
ICMP Traffic
No ICMP traffic performed.
CIF Results
No CIF Results
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Suricata HTTP
No Suricata HTTP
Sorry! No Suricata Extracted files.
No dropped files found.
No CAPE payloads found.
Sorry! No process dumps.