{ "statistics": { "processing": [ { "name": "CAPE", "time": 95.229 }, { "name": "AnalysisInfo", "time": 1.637 }, { "name": "BehaviorAnalysis", "time": 0.009 }, { "name": "Debug", "time": 0.002 }, { "name": "NetworkAnalysis", "time": 27.481 }, { "name": "Suricata", "time": 26.4 }, { "name": "UrlAnalysis", "time": 0.0 }, { "name": "script_log_processing", "time": 0.0 }, { "name": "ProcessMemory", "time": 0.0 } ], "signatures": [ { "name": "packer_themida", "time": 0.0 }, { "name": "stealth_network", "time": 0.0 }, { "name": "disable_driver_via_blocklist", "time": 0.0 }, { "name": "disable_driver_via_hvcidisallowedimages", "time": 0.0 }, { "name": "disable_hypervisor_protected_code_integrity", "time": 0.0 }, { "name": "pendingfilerenameoperations_Operations", "time": 0.0 }, { "name": "anomalous_deletefile", "time": 0.0 }, { "name": "antiav_360_libs", "time": 0.0 }, { "name": "antiav_ahnlab_libs", "time": 0.0 }, { "name": "antiav_avast_libs", "time": 0.0 }, { "name": "antiav_bitdefender_libs", "time": 0.0 }, { "name": "antiav_bullguard_libs", "time": 0.0 }, { "name": "antiav_emsisoft_libs", "time": 0.0 }, { "name": "antiav_qurb_libs", "time": 0.0 }, { "name": "antiav_servicestop", "time": 0.0 }, { "name": "antiav_apioverride_libs", "time": 0.0 }, { "name": "antidebug_guardpages", "time": 0.0 }, { "name": "antiav_nthookengine_libs", "time": 0.0 }, { "name": "antidebug_outputdebugstring", "time": 0.0 }, { "name": "antidebug_windows", "time": 0.0 }, { "name": "antisandbox_cuckoo", "time": 0.0 }, { "name": "antisandbox_cuckoocrash", "time": 0.0 }, { "name": "antisandbox_foregroundwindows", "time": 0.0 }, { "name": "mouse_movement_detect", "time": 0.0 }, { "name": "antisandbox_sboxie_libs", "time": 0.0 }, { "name": "antisandbox_script_timer", "time": 0.0 }, { "name": "antisandbox_sleep", "time": 0.0 }, { "name": "antisandbox_sunbelt_libs", "time": 0.0 }, { "name": "antisandbox_unhook", "time": 0.0 }, { "name": "antivm_directory_objects", "time": 0.0 }, { "name": "antivm_display", "time": 0.0 }, { "name": "antivm_generic_disk", "time": 0.0 }, { "name": "antivm_generic_system", "time": 0.0 }, { "name": "antivm_checks_available_memory", "time": 0.0 }, { "name": "detect_virtualization_via_recent_files", "time": 0.0 }, { "name": "antivm_vbox_libs", "time": 0.0 }, { "name": "antivm_vmware_events", "time": 0.0 }, { "name": "antivm_vmware_libs", "time": 0.0 }, { "name": "antivm_wmi", "time": 0.0 }, { "name": "api_spamming", "time": 0.0 }, { "name": "api_uuidfromstringa", "time": 0.0 }, { "name": "bcdedit_command", "time": 0.0 }, { "name": "bootkit", "time": 0.0 }, { "name": "direct_hdd_access", "time": 0.0 }, { "name": "physical_drive_access", "time": 0.0 }, { "name": "potential_overwrite_mbr", "time": 0.0 }, { "name": "read_file_raw_disk_access", "time": 0.0 }, { "name": "suspicious_iocontrol_codes", "time": 0.0 }, { "name": "browser_needed", "time": 0.0 }, { "name": "regsvr32_squiblydoo_dll_load", "time": 0.0 }, { "name": "uac_bypass_cmstp", "time": 0.0 }, { "name": "uac_bypass_eventvwr", "time": 0.0 }, { "name": "uac_bypass_windows_Backup", "time": 0.0 }, { "name": "dotnet_code_compile", "time": 0.0 }, { "name": "queries_computer_name", "time": 0.0 }, { "name": "queries_user_name", "time": 0.0 }, { "name": "creates_largekey", "time": 0.0 }, { "name": "creates_nullvalue", "time": 0.0 }, { "name": "access_windows_passwords_vault", "time": 0.0 }, { "name": "lsass_credential_dumping", "time": 0.0 }, { "name": "critical_process", "time": 0.0 }, { "name": "cryptopool_domains", "time": 0.0 }, { "name": "dead_connect", "time": 0.0 }, { "name": "dead_link", "time": 0.0 }, { "name": "decoy_document", "time": 0.0 }, { "name": "decoy_image", "time": 0.0 }, { "name": "deletes_consolehost_history", "time": 0.0 }, { "name": "dep_bypass", "time": 0.0 }, { "name": "dep_disable", "time": 0.0 }, { "name": "disables_wfp", "time": 0.0 }, { "name": "add_windows_defender_exclusions", "time": 0.0 }, { "name": "mountpoints_volume_discovery", "time": 0.0 }, { "name": "dll_load_uncommon_file_types", "time": 0.0 }, { "name": "document_script_exe_drop", "time": 0.0 }, { "name": "guloader_apis", "time": 0.0 }, { "name": "driver_load", "time": 0.0 }, { "name": "dynamic_function_loading", "time": 0.0 }, { "name": "encrypted_ioc", "time": 0.0 }, { "name": "exec_crash", "time": 0.0 }, { "name": "process_creation_suspicious_location", "time": 0.0 }, { "name": "exploit_getbasekerneladdress", "time": 0.0 }, { "name": "exploit_gethaldispatchtable", "time": 0.0 }, { "name": "exploit_heapspray", "time": 0.0 }, { "name": "koadic_apis", "time": 0.0 }, { "name": "koadic_network_activity", "time": 0.0 }, { "name": "downloads_from_filehosting", "time": 0.0 }, { "name": "generic_phish", "time": 0.0 }, { "name": "http_request", "time": 0.0 }, { "name": "infostealer_browser", "time": 0.0 }, { "name": "infostealer_browser_password", "time": 0.0 }, { "name": "infostealer_cookies", "time": 0.0 }, { "name": "cryptbot_network", "time": 0.0 }, { "name": "purplewave_network_activity", "time": 0.0 }, { "name": "quilclipper_behavior", "time": 0.0 }, { "name": "raccoon_behavior", "time": 0.0 }, { "name": "captures_screenshot", "time": 0.0 }, { "name": "vidar_behavior", "time": 0.0 }, { "name": "injection_createremotethread", "time": 0.0 }, { "name": "creates_suspended_process", "time": 0.0 }, { "name": "injection_explorer", "time": 0.0 }, { "name": "injection_network_traffic", "time": 0.0 }, { "name": "injection_runpe", "time": 0.0 }, { "name": "injection_rwx", "time": 0.0 }, { "name": "injection_themeinitapihook", "time": 0.0 }, { "name": "resumethread_remote_process", "time": 0.0 }, { "name": "injection_write_exe_process", "time": 0.0 }, { "name": "injection_write_process", "time": 0.0 }, { "name": "internet_dropper", "time": 0.0 }, { "name": "escalate_privilege_via_named_pipe", "time": 0.0 }, { "name": "ipc_namedpipe", "time": 0.0 }, { "name": "js_phish", "time": 0.0 }, { "name": "js_suspicious_redirect", "time": 0.0 }, { "name": "loader_alien", "time": 0.0 }, { "name": "execute_binary_via_internet_explorer_exporter", "time": 0.0 }, { "name": "execute_binary_via_run_exe_helper_utility", "time": 0.0 }, { "name": "execute_ps_via_syncappvpublishingserver", "time": 0.0 }, { "name": "malicious_dynamic_function_loading", "time": 0.0 }, { "name": "encrypt_pcinfo", "time": 0.0 }, { "name": "encrypt_data_agenttesla_http", "time": 0.0 }, { "name": "encrypt_data_agentteslat2_http", "time": 0.0 }, { "name": "encrypt_data_nanocore", "time": 0.0 }, { "name": "reads_memory_remote_process", "time": 0.0 }, { "name": "mimics_filetime", "time": 0.0 }, { "name": "amsi_bypass_via_com_registry", "time": 0.0 }, { "name": "access_auto_logons_via_registry", "time": 0.0 }, { "name": "access_boot_key_via_registry", "time": 0.0 }, { "name": "create_suspicious_lnk_files", "time": 0.0 }, { "name": "credential_access_via_windows_credential_history", "time": 0.0 }, { "name": "dll_hijacking_via_microsoft_exchange", "time": 0.0 }, { "name": "dll_hijacking_via_waas_medic_svc_com_typelib", "time": 0.0 }, { "name": "execute_file_downloaded_via_openssh", "time": 0.0 }, { "name": "execute_safe_mode_from_suspicious_process", "time": 0.0 }, { "name": "execute_scripts_via_microsoft_management_console", "time": 0.0 }, { "name": "execute_suspicious_processes_via_windows_mssql_service", "time": 0.0 }, { "name": "execution_from_self_extracting_archive", "time": 0.0 }, { "name": "ip_address_discovery_via_trusted_program", "time": 0.0 }, { "name": "load_dll_via_control_panel", "time": 0.0 }, { "name": "network_connection_via_suspicious_process", "time": 0.0 }, { "name": "potential_location_discovery_via_unusual_process", "time": 0.0 }, { "name": "store_executable_registry", "time": 0.0 }, { "name": "Suspicious_Execution_Via_MicrosoftExchangeTransportAgent", "time": 0.0 }, { "name": "suspicious_java_execution_via_win_scripts", "time": 0.0 }, { "name": "Suspicious_Scheduled_Task_Creation_Via_Masqueraded_XML_File", "time": 0.0 }, { "name": "uses_restart_manager_for_suspicious_activities", "time": 0.0 }, { "name": "modify_desktop_wallpaper", "time": 0.0 }, { "name": "move_file_on_reboot", "time": 0.0 }, { "name": "multiple_useragents", "time": 0.0 }, { "name": "network_anomaly", "time": 0.0 }, { "name": "network_bind", "time": 0.0 }, { "name": "network_cnc_https_archive", "time": 0.0 }, { "name": "network_cnc_https_free_webhosting", "time": 0.0 }, { "name": "network_cnc_https_generic", "time": 0.0 }, { "name": "network_cnc_https_interactsh", "time": 0.0 }, { "name": "network_cnc_https_opensource", "time": 0.0 }, { "name": "network_cnc_https_pastesite", "time": 0.0 }, { "name": "network_cnc_https_payload", "time": 0.0 }, { "name": "network_cnc_https_serviceinterface", "time": 0.0 }, { "name": "network_cnc_https_socialmedia", "time": 0.0 }, { "name": "network_cnc_https_telegram", "time": 0.0 }, { "name": "network_cnc_https_tempstorage", "time": 0.0 }, { "name": "network_cnc_https_temp_urldns", "time": 0.0 }, { "name": "network_cnc_https_urlshortener", "time": 0.0 }, { "name": "network_cnc_https_useragent", "time": 0.0 }, { "name": "network_cnc_smtps_exfil", "time": 0.0 }, { "name": "network_cnc_smtps_generic", "time": 0.0 }, { "name": "network_dns_idn", "time": 0.0 }, { "name": "network_dns_suspicious_querytype", "time": 0.0 }, { "name": "network_dns_tunneling_request", "time": 0.0 }, { "name": "network_document_http", "time": 0.0 }, { "name": "explorer_http", "time": 0.0 }, { "name": "network_fake_useragent", "time": 0.0 }, { "name": "legitimate_domain_abuse", "time": 0.0 }, { "name": "suspicious_communication_trusted_site", "time": 0.0 }, { "name": "network_tor", "time": 0.0 }, { "name": "office_com_load", "time": 0.0 }, { "name": "office_dotnet_load", "time": 0.0 }, { "name": "office_mshtml_load", "time": 0.0 }, { "name": "office_vb_load", "time": 0.0 }, { "name": "office_wmi_load", "time": 0.0 }, { "name": "office_cve2017_11882", "time": 0.0 }, { "name": "office_cve2017_11882_network", "time": 0.0 }, { "name": "office_cve_2021_40444", "time": 0.0 }, { "name": "office_cve_2021_40444_m2", "time": 0.0 }, { "name": "office_flash_load", "time": 0.0 }, { "name": "office_postscript", "time": 0.0 }, { "name": "office_suspicious_processes", "time": 0.0 }, { "name": "office_write_exe", "time": 0.0 }, { "name": "persistence_via_autodial_dll_registry", "time": 0.0 }, { "name": "persistence_autorun", "time": 0.0 }, { "name": "persistence_autorun_tasks", "time": 0.0 }, { "name": "persistence_bootexecute", "time": 0.0 }, { "name": "persistence_registry_script", "time": 0.0 }, { "name": "powershell_network_connection", "time": 0.0 }, { "name": "powershell_download", "time": 0.0 }, { "name": "powershell_request", "time": 0.0 }, { "name": "createtoolhelp32snapshot_module_enumeration", "time": 0.0 }, { "name": "enumerates_running_processes", "time": 0.0 }, { "name": "process_interest", "time": 0.0 }, { "name": "process_needed", "time": 0.0 }, { "name": "mass_data_encryption", "time": 0.0 }, { "name": "ransomware_file_modifications", "time": 0.0 }, { "name": "ransomware_message", "time": 0.0 }, { "name": "nemty_network_activity", "time": 0.0 }, { "name": "nemty_note", "time": 0.0 }, { "name": "sodinokibi_behavior", "time": 0.0 }, { "name": "stop_ransomware_registry", "time": 0.0 }, { "name": "blackrat_apis", "time": 0.0 }, { "name": "blackrat_network_activity", "time": 0.0 }, { "name": "blackrat_registry_keys", "time": 0.0 }, { "name": "dcrat_behavior", "time": 0.0 }, { "name": "karagany_system_event_objects", "time": 0.0 }, { "name": "rat_luminosity", "time": 0.0 }, { "name": "rat_nanocore", "time": 0.0 }, { "name": "netwire_behavior", "time": 0.0 }, { "name": "obliquerat_network_activity", "time": 0.0 }, { "name": "orcusrat_behavior", "time": 0.0 }, { "name": "trochilusrat_apis", "time": 0.0 }, { "name": "reads_self", "time": 0.0 }, { "name": "recon_beacon", "time": 0.0 }, { "name": "recon_programs", "time": 0.0 }, { "name": "recon_systeminfo", "time": 0.0 }, { "name": "accesses_recyclebin", "time": 0.0 }, { "name": "remcos_shell_code_dynamic_wrapper_x", "time": 0.0 }, { "name": "script_created_process", "time": 0.0 }, { "name": "script_network_activity", "time": 0.0 }, { "name": "suspicious_js_script", "time": 0.0 }, { "name": "javascript_timer", "time": 0.0 }, { "name": "secure_login_phishing", "time": 0.0 }, { "name": "securityxploded_modules", "time": 0.0 }, { "name": "get_clipboard_data", "time": 0.0 }, { "name": "sets_autoconfig_url", "time": 0.0 }, { "name": "spoofs_procname", "time": 0.0 }, { "name": "stack_pivot", "time": 0.0 }, { "name": "stack_pivot_file_created", "time": 0.0 }, { "name": "stack_pivot_process_create", "time": 0.0 }, { "name": "set_clipboard_data", "time": 0.0 }, { "name": "stealth_childproc", "time": 0.0 }, { "name": "stealth_file", "time": 0.0 }, { "name": "stealth_timeout", "time": 0.0 }, { "name": "stealth_window", "time": 0.0 }, { "name": "queries_keyboard_layout", "time": 0.0 }, { "name": "queries_locale_api", "time": 0.0 }, { "name": "terminates_remote_process", "time": 0.0 }, { "name": "uiautomationcore_load", "time": 0.0 }, { "name": "user_enum", "time": 0.0 }, { "name": "mmc_dll_script_load", "time": 0.0 }, { "name": "mmc_dotnet_load", "time": 0.0 }, { "name": "virus", "time": 0.0 }, { "name": "neshta_files", "time": 0.0 }, { "name": "neshta_regkeys", "time": 0.0 }, { "name": "webmail_phish", "time": 0.0 }, { "name": "persists_dev_util", "time": 0.0 }, { "name": "spawns_dev_util", "time": 0.0 }, { "name": "alters_windows_utility", "time": 0.0 }, { "name": "overwrites_accessibility_utility", "time": 0.0 }, { "name": "Potential_Lateral_Movement_Via_SMBEXEC", "time": 0.0 }, { "name": "potential_WebShell_Via_ScreenConnectServer", "time": 0.0 }, { "name": "uses_Microsoft_HTML_Help_Executable", "time": 0.0 }, { "name": "wiper_zeroedbytes", "time": 0.0 }, { "name": "wmi_create_process", "time": 0.0 }, { "name": "wmi_script_process", "time": 0.0 }, { "name": "antianalysis_tls_section", "time": 0.0 }, { "name": "antivirus_clamav", "time": 0.0 }, { "name": "antivirus_virustotal", "time": 0.0 }, { "name": "bad_certs", "time": 0.0 }, { "name": "bad_ssl_certs", "time": 0.0 }, { "name": "banker_zeus_p2p", "time": 0.006 }, { "name": "banker_zeus_url", "time": 0.001 }, { "name": "binary_yara", "time": 0.0 }, { "name": "bot_athenahttp", "time": 0.0 }, { "name": "bot_dirtjumper", "time": 0.0 }, { "name": "bot_drive", "time": 0.001 }, { "name": "bot_drive2", "time": 0.001 }, { "name": "bot_madness", "time": 0.0 }, { "name": "phishing_kit_detected", "time": 0.0 }, { "name": "family_proxyback", "time": 0.001 }, { "name": "flare_capa_antianalysis", "time": 0.0 }, { "name": "flare_capa_collection", "time": 0.0 }, { "name": "flare_capa_communication", "time": 0.0 }, { "name": "flare_capa_compiler", "time": 0.0 }, { "name": "flare_capa_datamanipulation", "time": 0.0 }, { "name": "flare_capa_executable", "time": 0.0 }, { "name": "flare_capa_hostinteraction", "time": 0.0 }, { "name": "flare_capa_impact", "time": 0.0 }, { "name": "flare_capa_lib", "time": 0.0 }, { "name": "flare_capa_linking", "time": 0.0 }, { "name": "flare_capa_loadcode", "time": 0.0 }, { "name": "flare_capa_malwarefamily", "time": 0.0 }, { "name": "flare_capa_nursery", "time": 0.0 }, { "name": "flare_capa_persistence", "time": 0.0 }, { "name": "flare_capa_runtime", "time": 0.0 }, { "name": "flare_capa_targeting", "time": 0.0 }, { "name": "threatfox", "time": 0.0 }, { "name": "log4shell", "time": 0.015 }, { "name": "mimics_extension", "time": 0.0 }, { "name": "network_country_distribution", "time": 0.0 }, { "name": "network_cnc_http", "time": 0.006 }, { "name": "network_ip_exe", "time": 0.001 }, { "name": "network_dga", "time": 0.0 }, { "name": "network_dga_fraunhofer", "time": 0.0 }, { "name": "network_dyndns", "time": 0.009 }, { "name": "network_excessive_udp", "time": 0.0 }, { "name": "network_http", "time": 0.002 }, { "name": "network_icmp", "time": 0.0 }, { "name": "network_irc", "time": 0.0 }, { "name": "network_open_proxy", "time": 0.002 }, { "name": "network_questionable_http_path", "time": 0.0 }, { "name": "network_questionable_https_path", "time": 0.0 }, { "name": "network_smtp", "time": 0.0 }, { "name": "network_torgateway", "time": 0.003 }, { "name": "origin_langid", "time": 0.0 }, { "name": "origin_resource_langid", "time": 0.0 }, { "name": "overlay", "time": 0.0 }, { "name": "packer_unknown_pe_section_name", "time": 0.0 }, { "name": "packer_aspack", "time": 0.0 }, { "name": "packer_aspirecrypt", "time": 0.0 }, { "name": "packer_bedsprotector", "time": 0.0 }, { "name": "packer_confuser", "time": 0.0 }, { "name": "packer_enigma", "time": 0.0 }, { "name": "packer_entropy", "time": 0.0 }, { "name": "packer_mpress", "time": 0.0 }, { "name": "packer_nate", "time": 0.0 }, { "name": "packer_nspack", "time": 0.0 }, { "name": "packer_smartassembly", "time": 0.0 }, { "name": "packer_spices", "time": 0.0 }, { "name": "packer_themida", "time": 0.0 }, { "name": "packer_titan", "time": 0.0 }, { "name": "packer_upx", "time": 0.0 }, { "name": "packer_vmprotect", "time": 0.0 }, { "name": "packer_yoda", "time": 0.0 }, { "name": "pdf_annot_urls_checker", "time": 0.0 }, { "name": "polymorphic", "time": 0.0 }, { "name": "punch_plus_plus_pcres", "time": 0.0 }, { "name": "procmem_yara", "time": 0.0 }, { "name": "recon_checkip", "time": 0.0 }, { "name": "static_authenticode", "time": 0.0 }, { "name": "invalid_authenticode_signature", "time": 0.0 }, { "name": "static_dotnet_anomaly", "time": 0.0 }, { "name": "static_java", "time": 0.0 }, { "name": "static_pdf", "time": 0.0 }, { "name": "contains_pe_overlay", "time": 0.0 }, { "name": "static_pe_anomaly", "time": 0.0 }, { "name": "pe_compile_timestomping", "time": 0.0 }, { "name": "static_pe_pdbpath", "time": 0.0 }, { "name": "static_rat_config", "time": 0.0 }, { "name": "static_versioninfo_anomaly", "time": 0.0 }, { "name": "suricata_alert", "time": 0.0 }, { "name": "suspicious_html_body", "time": 0.0 }, { "name": "suspicious_html_name", "time": 0.0 }, { "name": "suspicious_html_title", "time": 0.0 }, { "name": "volatility_devicetree_1", "time": 0.0 }, { "name": "volatility_handles_1", "time": 0.0 }, { "name": "volatility_ldrmodules_1", "time": 0.0 }, { "name": "volatility_ldrmodules_2", "time": 0.0 }, { "name": "volatility_malfind_1", "time": 0.0 }, { "name": "volatility_malfind_2", "time": 0.0 }, { "name": "volatility_modscan_1", "time": 0.0 }, { "name": "volatility_svcscan_1", "time": 0.0 }, { "name": "volatility_svcscan_2", "time": 0.0 }, { "name": "volatility_svcscan_3", "time": 0.0 }, { "name": "whois_create", "time": 0.0 }, { "name": "accesses_mailslot", "time": 0.0 }, { "name": "accesses_netlogon_regkey", "time": 0.0 }, { "name": "accesses_public_folder", "time": 0.0 }, { "name": "accesses_sysvol", "time": 0.0 }, { "name": "writes_sysvol", "time": 0.0 }, { "name": "adds_admin_user", "time": 0.0 }, { "name": "adds_user", "time": 0.0 }, { "name": "overwrites_admin_password", "time": 0.016 }, { "name": "antianalysis_detectfile", "time": 0.004 }, { "name": "antianalysis_detectreg", "time": 0.002 }, { "name": "modify_attachment_manager", "time": 0.0 }, { "name": "antiav_detectfile", "time": 0.007 }, { "name": "antiav_detectreg", "time": 0.008 }, { "name": "antiav_srp", "time": 0.0 }, { "name": "antiav_whitespace", "time": 0.0 }, { "name": "antidebug_devices", "time": 0.001 }, { "name": "antiemu_windefend", "time": 0.0 }, { "name": "antiemu_wine_reg", "time": 0.0 }, { "name": "antisandbox_cuckoo_files", "time": 0.0 }, { "name": "antisandbox_fortinet_files", "time": 0.0 }, { "name": "antisandbox_joe_anubis_files", "time": 0.0 }, { "name": "antisandbox_sboxie_mutex", "time": 0.0 }, { "name": "antisandbox_sunbelt_files", "time": 0.0 }, { "name": "antisandbox_threattrack_files", "time": 0.0 }, { "name": "antivm_bochs_keys", "time": 0.0 }, { "name": "antivm_generic_bios", "time": 0.0 }, { "name": "antivm_generic_diskreg", "time": 0.001 }, { "name": "antivm_hyperv_keys", "time": 0.0 }, { "name": "antivm_parallels_keys", "time": 0.001 }, { "name": "antivm_recentdocs", "time": 0.0 }, { "name": "antivm_vbox_devices", "time": 0.001 }, { "name": "antivm_vbox_files", "time": 0.002 }, { "name": "antivm_vbox_keys", "time": 0.001 }, { "name": "antivm_vmware_devices", "time": 0.0 }, { "name": "antivm_vmware_files", "time": 0.001 }, { "name": "antivm_vmware_keys", "time": 0.001 }, { "name": "antivm_vmware_mutexes", "time": 0.0 }, { "name": "antivm_vpc_files", "time": 0.0 }, { "name": "antivm_vpc_keys", "time": 0.0 }, { "name": "antivm_vpc_mutex", "time": 0.0 }, { "name": "antivm_xen_keys", "time": 0.0 }, { "name": "asyncrat_mutex", "time": 0.0 }, { "name": "gulpix_behavior", "time": 0.0 }, { "name": "ketrican_regkeys", "time": 0.001 }, { "name": "okrum_mutexes", "time": 0.0 }, { "name": "banker_cridex", "time": 0.0 }, { "name": "geodo_banking_trojan", "time": 0.001 }, { "name": "banker_spyeye_mutexes", "time": 0.0 }, { "name": "banker_zeus_mutex", "time": 0.0 }, { "name": "bitcoin_opencl", "time": 0.0 }, { "name": "enumerates_physical_drives", "time": 0.0 }, { "name": "bot_russkill", "time": 0.0 }, { "name": "browser_addon", "time": 0.0 }, { "name": "chromium_browser_extension_directory", "time": 0.0 }, { "name": "browser_helper_object", "time": 0.033 }, { "name": "browser_security", "time": 0.001 }, { "name": "browser_startpage", "time": 0.0 }, { "name": "ie_disables_process_tab", "time": 0.0 }, { "name": "odbcconf_bypass", "time": 0.0 }, { "name": "squiblydoo_bypass", "time": 0.0 }, { "name": "squiblytwo_bypass", "time": 0.0 }, { "name": "bypass_chromium_protection", "time": 0.0 }, { "name": "bypass_firewall", "time": 0.05 }, { "name": "checks_uac_status", "time": 0.0 }, { "name": "uac_bypass_cmstpcom", "time": 0.001 }, { "name": "uac_bypass_delegateexecute_sdclt", "time": 0.0 }, { "name": "uac_bypass_fodhelper", "time": 0.0 }, { "name": "cape_extracted_content", "time": 0.0 }, { "name": "carberp_mutex", "time": 0.087 }, { "name": "clears_logs", "time": 0.001 }, { "name": "cmdline_obfuscation", "time": 0.0 }, { "name": "cmdline_switches", "time": 0.0 }, { "name": "cmdline_terminate", "time": 0.0 }, { "name": "cmdline_forfiles_wildcard", "time": 0.0 }, { "name": "cmdline_http_link", "time": 0.0 }, { "name": "cmdline_long_string", "time": 0.0 }, { "name": "cmdline_reversed_http_link", "time": 0.0 }, { "name": "long_commandline", "time": 0.0 }, { "name": "powershell_renamed_commandline", "time": 0.0 }, { "name": "copies_self", "time": 0.0 }, { "name": "credwiz_credentialaccess", "time": 0.0 }, { "name": "enables_wdigest", "time": 0.0 }, { "name": "vaultcmd_credentialaccess", "time": 0.0 }, { "name": "file_credential_store_access", "time": 0.001 }, { "name": "file_credential_store_write", "time": 0.0 }, { "name": "kerberos_credential_access_via_rubeus", "time": 0.0 }, { "name": "registry_credential_dumping", "time": 0.0 }, { "name": "registry_credential_store_access", "time": 0.0 }, { "name": "registry_lsa_secrets_access", "time": 0.0 }, { "name": "comsvcs_credentialdump", "time": 0.0 }, { "name": "cryptomining_stratum_command", "time": 0.0 }, { "name": "cypherit_mutexes", "time": 0.065 }, { "name": "darkcomet_regkeys", "time": 0.001 }, { "name": "datop_loader", "time": 0.0 }, { "name": "deepfreeze_mutex", "time": 0.0 }, { "name": "deletes_executed_files", "time": 0.0 }, { "name": "disables_app_launch", "time": 0.0 }, { "name": "disables_auto_app_termination", "time": 0.0 }, { "name": "disables_appv_virtualization", "time": 0.038 }, { "name": "disables_backups", "time": 0.002 }, { "name": "disables_browser_warn", "time": 0.002 }, { "name": "disables_context_menus", "time": 0.001 }, { "name": "disables_cpl_disable", "time": 0.028 }, { "name": "disables_crashdumps", "time": 0.0 }, { "name": "disables_event_logging", "time": 0.0 }, { "name": "disables_folder_options", "time": 0.0 }, { "name": "disables_notificationcenter", "time": 0.0 }, { "name": "disables_power_options", "time": 0.002 }, { "name": "disables_restore_default_state", "time": 0.0 }, { "name": "disables_run_command", "time": 0.0 }, { "name": "disables_smartscreen", "time": 0.001 }, { "name": "disables_startmenu_search", "time": 0.024 }, { "name": "disables_system_restore", "time": 0.001 }, { "name": "disables_uac", "time": 0.0 }, { "name": "disables_wer", "time": 0.0 }, { "name": "disables_windows_defender", "time": 0.001 }, { "name": "disables_windows_defender_logging", "time": 0.001 }, { "name": "removes_windows_defender_contextmenu", "time": 0.001 }, { "name": "removes_windows_defender_updates", "time": 0.0 }, { "name": "windows_defender_powershell", "time": 0.0 }, { "name": "disables_windows_file_protection", "time": 0.0 }, { "name": "disables_windowsupdate", "time": 0.0 }, { "name": "disables_winfirewall", "time": 0.0 }, { "name": "discover_registry_mount_points", "time": 0.0 }, { "name": "adfind_domain_enumeration", "time": 0.0 }, { "name": "domain_enumeration_commands", "time": 0.0 }, { "name": "andromut_mutexes", "time": 0.0 }, { "name": "downloader_cabby", "time": 0.0 }, { "name": "phorpiex_mutexes", "time": 0.0 }, { "name": "protonbot_mutexes", "time": 0.0 }, { "name": "driver_filtermanager", "time": 0.0 }, { "name": "dropper", "time": 0.0 }, { "name": "dll_archive_execution", "time": 0.0 }, { "name": "lnk_archive_execution", "time": 0.0 }, { "name": "script_archive_execution", "time": 0.0 }, { "name": "excel4_macro_urls", "time": 0.0 }, { "name": "escalate_privilege_via_ntlm_relay", "time": 0.0 }, { "name": "spooler_access", "time": 0.0 }, { "name": "spooler_svc_start", "time": 0.0 }, { "name": "mapped_drives_uac", "time": 0.0 }, { "name": "hides_recycle_bin_icon", "time": 0.132 }, { "name": "apocalypse_stealer_file_behavior", "time": 0.001 }, { "name": "arkei_files", "time": 0.0 }, { "name": "azorult_mutexes", "time": 0.002 }, { "name": "infostealer_bitcoin", "time": 0.006 }, { "name": "cryptbot_files", "time": 0.001 }, { "name": "echelon_files", "time": 0.002 }, { "name": "infostealer_ftp", "time": 0.008 }, { "name": "infostealer_im", "time": 0.005 }, { "name": "infostealer_mail", "time": 0.004 }, { "name": "masslogger_files", "time": 0.0 }, { "name": "poullight_files", "time": 0.004 }, { "name": "purplewave_mutexes", "time": 0.0 }, { "name": "quilclipper_mutexes", "time": 0.0 }, { "name": "qulab_files", "time": 0.002 }, { "name": "qulab_mutexes", "time": 0.0 }, { "name": "asyncrat_mutex", "time": 0.0 }, { "name": "Evade_Execution_Via_ASPNet_Compiler", "time": 0.0 }, { "name": "Evade_Execute_Via_DeviceCredentialDeployment", "time": 0.0 }, { "name": "Evade_Execution_Via_Filter_Manager_Control", "time": 0.0 }, { "name": "Evade_Execution_Via_Intel_GFXDownloadWrapper", "time": 0.0 }, { "name": "execute_binary_via_appvlp", "time": 0.0 }, { "name": "execute_binary_via_pcalua", "time": 0.0 }, { "name": "Execute_Binary_Via_OpenSSH", "time": 0.0 }, { "name": "execute_binary_via_pcalua", "time": 0.0 }, { "name": "Execute_Binary_Via_PesterPSModule", "time": 0.0 }, { "name": "Execute_Binary_Via_ScriptRunner", "time": 0.0 }, { "name": "execute_binary_via_ttdinject", "time": 0.0 }, { "name": "Execute_Binary_Via_VisualStudioLiveShare", "time": 0.0 }, { "name": "Execute_Msiexec_Via_Explorer", "time": 0.0 }, { "name": "execute_remote_msi", "time": 0.0 }, { "name": "execute_suspicious_powershell_via_runscripthelper", "time": 0.0 }, { "name": "execute_suspicious_powershell_via_sqlps", "time": 0.0 }, { "name": "Indirect_Command_Execution_Via_ConsoleWindowHost", "time": 0.0 }, { "name": "Perform_Malicious_Activities_Via_Headless_Browser", "time": 0.0 }, { "name": "Register_DLL_Via_CertOC", "time": 0.0 }, { "name": "Register_DLL_Via_MSIEXEC", "time": 0.0 }, { "name": "Register_DLL_Via_Odbcconf", "time": 0.0 }, { "name": "Scriptlet_Proxy_Execution_Via_Pubprn", "time": 0.0 }, { "name": "ie_martian_children", "time": 0.0 }, { "name": "office_martian_children", "time": 0.0 }, { "name": "mimics_icon", "time": 0.0 }, { "name": "masquerade_process_name", "time": 0.005 }, { "name": "mimikatz_modules", "time": 0.0 }, { "name": "ms_office_cmd_rce", "time": 0.0 }, { "name": "mount_copy_to_webdav_share", "time": 0.0 }, { "name": "potential_protocol_tunneling_via_legit_utilities", "time": 0.0 }, { "name": "potential_protocol_tunneling_via_qemu", "time": 0.0 }, { "name": "suspicious_execution_via_dotnet_remoting", "time": 0.0 }, { "name": "modify_certs", "time": 0.0 }, { "name": "dotnet_clr_usagelog_regkeys", "time": 0.0 }, { "name": "modify_hostfile", "time": 0.0 }, { "name": "modify_oem_information", "time": 0.001 }, { "name": "modify_security_center_warnings", "time": 0.0 }, { "name": "modify_uac_prompt", "time": 0.001 }, { "name": "network_dns_blockchain", "time": 0.001 }, { "name": "network_dns_opennic", "time": 0.002 }, { "name": "network_dns_paste_site", "time": 0.002 }, { "name": "network_dns_reverse_proxy", "time": 0.0 }, { "name": "network_dns_temp_file_storage", "time": 0.002 }, { "name": "network_dns_temp_urldns", "time": 0.0 }, { "name": "network_dns_url_shortener", "time": 0.012 }, { "name": "network_dns_doh_tls", "time": 0.001 }, { "name": "suspicious_tld", "time": 0.008 }, { "name": "network_tor_service", "time": 0.0 }, { "name": "office_code_page", "time": 0.031 }, { "name": "office_addinloading", "time": 0.0 }, { "name": "office_perfkey", "time": 0.0 }, { "name": "office_macro", "time": 0.0 }, { "name": "changes_trust_center_settings", "time": 0.0 }, { "name": "disables_vba_trust_access", "time": 0.0 }, { "name": "office_macro_autoexecution", "time": 0.0 }, { "name": "office_macro_ioc", "time": 0.0 }, { "name": "office_macro_malicious_prediction", "time": 0.0 }, { "name": "office_macro_suspicious", "time": 0.0 }, { "name": "rtf_aslr_bypass", "time": 0.0 }, { "name": "rtf_anomaly_characterset", "time": 0.0 }, { "name": "rtf_anomaly_version", "time": 0.0 }, { "name": "rtf_embedded_content", "time": 0.0 }, { "name": "rtf_embedded_office_file", "time": 0.0 }, { "name": "rtf_exploit_static", "time": 0.0 }, { "name": "office_security", "time": 0.0 }, { "name": "accesses_office_username", "time": 0.0 }, { "name": "office_anomalous_feature", "time": 0.0 }, { "name": "office_dde_command", "time": 0.0 }, { "name": "packer_armadillo_mutex", "time": 0.0 }, { "name": "packer_armadillo_regkey", "time": 0.0 }, { "name": "persistence_ads", "time": 0.0 }, { "name": "persistence_safeboot", "time": 0.0 }, { "name": "persistence_ifeo", "time": 0.0 }, { "name": "persistence_silent_process_exit", "time": 0.0 }, { "name": "persistence_rdp_registry", "time": 0.0 }, { "name": "persistence_rdp_shadowing", "time": 0.0 }, { "name": "persistence_service", "time": 0.0 }, { "name": "persistence_shim_database", "time": 0.0 }, { "name": "powerpool_mutexes", "time": 0.0 }, { "name": "powershell_scriptblock_logging", "time": 0.0 }, { "name": "powershell_command_suspicious", "time": 0.0 }, { "name": "powershell_history_save_mod", "time": 0.0 }, { "name": "powershell_renamed", "time": 0.0 }, { "name": "powershell_reversed", "time": 0.0 }, { "name": "powershell_variable_obfuscation", "time": 0.0 }, { "name": "prevents_safeboot", "time": 0.0 }, { "name": "cmdline_process_discovery", "time": 0.0 }, { "name": "cryptomix_mutexes", "time": 0.0 }, { "name": "dharma_mutexes", "time": 0.0 }, { "name": "ransomware_extensions_generic", "time": 0.0 }, { "name": "ransomware_extensions_known", "time": 0.005 }, { "name": "ransomware_files", "time": 0.007 }, { "name": "fonix_mutexes", "time": 0.0 }, { "name": "gandcrab_mutexes", "time": 0.0 }, { "name": "germanwiper_mutexes", "time": 0.0 }, { "name": "medusalocker_mutexes", "time": 0.0 }, { "name": "medusalocker_regkeys", "time": 0.0 }, { "name": "nemty_mutexes", "time": 0.0 }, { "name": "nemty_regkeys", "time": 0.0 }, { "name": "pysa_mutexes", "time": 0.0 }, { "name": "ransomware_radamant", "time": 0.0 }, { "name": "ransomware_recyclebin", "time": 0.0 }, { "name": "revil_mutexes", "time": 0.001 }, { "name": "ransomware_revil_regkey", "time": 0.0 }, { "name": "satan_mutexes", "time": 0.0 }, { "name": "snake_ransom_mutexes", "time": 0.0 }, { "name": "stop_ransom_mutexes", "time": 0.0 }, { "name": "stop_ransomware_cmd", "time": 0.0 }, { "name": "ransomware_stopdjvu", "time": 0.0 }, { "name": "rat_beebus_mutexes", "time": 0.0 }, { "name": "blacknet_mutexes", "time": 0.0 }, { "name": "blackrat_mutexes", "time": 0.0 }, { "name": "crat_mutexes", "time": 0.0 }, { "name": "dcrat_files", "time": 0.0 }, { "name": "dcrat_mutexes", "time": 0.0 }, { "name": "rat_fynloski_mutexes", "time": 0.0 }, { "name": "limerat_mutexes", "time": 0.0 }, { "name": "limerat_regkeys", "time": 0.0 }, { "name": "lodarat_file_behavior", "time": 0.0 }, { "name": "modirat_behavior", "time": 0.001 }, { "name": "njrat_regkeys", "time": 0.0 }, { "name": "obliquerat_files", "time": 0.0 }, { "name": "obliquerat_mutexes", "time": 0.0 }, { "name": "parallax_mutexes", "time": 0.0 }, { "name": "rat_pcclient", "time": 0.0 }, { "name": "rat_plugx_mutexes", "time": 0.0 }, { "name": "rat_poisonivy_mutexes", "time": 0.0 }, { "name": "rat_quasar_mutexes", "time": 0.0 }, { "name": "ratsnif_mutexes", "time": 0.0 }, { "name": "rat_spynet", "time": 0.0 }, { "name": "venomrat_mutexes", "time": 0.0 }, { "name": "warzonerat_files", "time": 0.0 }, { "name": "warzonerat_regkeys", "time": 0.009 }, { "name": "xpertrat_files", "time": 0.0 }, { "name": "xpertrat_mutexes", "time": 0.001 }, { "name": "rat_xtreme_mutexes", "time": 0.0 }, { "name": "reads_password_database", "time": 0.0 }, { "name": "recon_fingerprint", "time": 0.001 }, { "name": "remcos_files", "time": 0.0 }, { "name": "remcos_mutexes", "time": 0.0 }, { "name": "remcos_regkeys", "time": 0.0 }, { "name": "rdptcp_key", "time": 0.0 }, { "name": "uses_rdp_clip", "time": 0.0 }, { "name": "uses_remote_desktop_session", "time": 0.0 }, { "name": "removes_networking_icon", "time": 0.0 }, { "name": "removes_pinned_programs", "time": 0.023 }, { "name": "removes_security_maintenance_icon", "time": 0.0 }, { "name": "removes_startmenu_defaults", "time": 0.001 }, { "name": "removes_username_startmenu", "time": 0.0 }, { "name": "spicyhotpot_behavior", "time": 0.0 }, { "name": "sniffer_winpcap", "time": 0.0 }, { "name": "spreading_autoruninf", "time": 0.0 }, { "name": "stealth_hidden_extension", "time": 0.0 }, { "name": "stealth_hiddenreg", "time": 0.0 }, { "name": "stealth_hide_notifications", "time": 0.0 }, { "name": "stealth_webhistory", "time": 0.0 }, { "name": "sysinternals_psexec", "time": 0.0 }, { "name": "sysinternals_tools", "time": 0.0 }, { "name": "language_check_registry", "time": 0.0 }, { "name": "tampers_etw", "time": 0.001 }, { "name": "lsa_tampering", "time": 0.0 }, { "name": "tampers_powershell_logging", "time": 0.0 }, { "name": "targeted_flame", "time": 0.001 }, { "name": "territorial_disputes_sigs", "time": 0.004 }, { "name": "trickbot_mutex", "time": 0.0 }, { "name": "fleercivet_mutex", "time": 0.0 }, { "name": "lokibot_mutexes", "time": 0.001 }, { "name": "ursnif_behavior", "time": 0.001 }, { "name": "uses_adfind", "time": 0.0 }, { "name": "uses_ms_protocol", "time": 0.0 }, { "name": "neshta_mutexes", "time": 0.0 }, { "name": "renamer_mutexes", "time": 0.0 }, { "name": "owa_web_shell_files", "time": 0.07 }, { "name": "web_shell_files", "time": 0.0 }, { "name": "web_shell_processes", "time": 0.0 }, { "name": "dotnet_csc_build", "time": 0.0 }, { "name": "mavinject_lolbin", "time": 0.0 }, { "name": "multiple_explorer_instances", "time": 0.0 }, { "name": "script_tool_executed", "time": 0.0 }, { "name": "suspicious_certutil_use", "time": 0.0 }, { "name": "suspicious_command_tools", "time": 0.0 }, { "name": "suspicious_mpcmdrun_use", "time": 0.0 }, { "name": "suspicious_ping_use", "time": 0.0 }, { "name": "uses_powershell_copyitem", "time": 0.0 }, { "name": "uses_windows_utilities", "time": 0.0 }, { "name": "uses_windows_utilities_appcmd", "time": 0.0 }, { "name": "uses_windows_utilities_csvde_ldifde", "time": 0.0 }, { "name": "uses_windows_utilities_cipher", "time": 0.0 }, { "name": "uses_windows_utilities_clickonce", "time": 0.0 }, { "name": "uses_windows_utilities_curl", "time": 0.0 }, { "name": "uses_windows_utilities_dsquery", "time": 0.0 }, { "name": "uses_windows_utilities_esentutl", "time": 0.0 }, { "name": "uses_windows_utilities_finger", "time": 0.0 }, { "name": "uses_windows_utilities_mode", "time": 0.0 }, { "name": "uses_windows_utilities_ntdsutil", "time": 0.0 }, { "name": "uses_windows_utilities_nltest", "time": 0.0 }, { "name": "uses_windows_utilities_setx", "time": 0.0 }, { "name": "uses_windows_utilities_xcopy", "time": 0.0 }, { "name": "wmic_command_suspicious", "time": 0.0 }, { "name": "scrcons_wmi_script_consumer", "time": 0.0 }, { "name": "allaple_mutexes", "time": 0.0 } ], "reporting": [ { "name": "BinGraph", "time": 0.0 } ] }, "target": { "category": "file", "file": { "name": "01e3b18bd63981decb384f55", "path": "/opt/CAPEv2/storage/binaries/01e3b18bd63981decb384f558f0321346c3334bb6e6f97c31c6c95c4ab2fe354", "guest_paths": "", "size": 100352, "crc32": "EDEEDF40", "md5": "9c8242440c47a4f1ce2e47df3c3ddd28", "sha1": "874f3caf663265f7dd18fb565d91b7d915031251", "sha256": "01e3b18bd63981decb384f558f0321346c3334bb6e6f97c31c6c95c4ab2fe354", "sha512": "3525b219fec9894d9d534e6774e19fbf7097c9a00d733c11bee14c90b9beb82ce4cd2a35e97be71f096a7f6d60051da4026ab8e42c0409b0e54b50cd482beb7d", "rh_hash": null, "ssdeep": "3072:2m7DYfm4SRR+NaVEs+k6kiS+94ERR6gR0bRbD:2IoIRRGaVExfd", "type": "PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows", "yara": [ { "name": "DITEKSHEN_MALWARE_Win_Nanocore", "meta": { "description": "Detects NanoCore", "author": "ditekSHen", "id": "931b98f6-df2b-538b-bc49-ecbbd24334da", "date": "2020-11-06", "modified": "2024-11-01", "reference": "https://github.com/ditekshen/detection", "source_url": "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7654-L7681", "license_url": "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt", "logic_hash": "6336260e0af2b4b51338ee066f41b7c58aa134a6c03ca110db7e088edf2b65a7", "score": 75, "quality": 75, "tags": "FILE" }, "strings": [ "NanoCore.ClientPlugin", "NanoCore.ClientPluginHost", "IClientData", "IClientNetwork", "IClientDataHost", "IClientLoggingHost", "IClientNetworkHost", "IClientUIHost", "IClientNameObjectCollection", "IClientReadOnlyNameObjectCollection", "ClientPlugin", "get_ClientSettings" ], "addresses": { "x2": 63352, "x3": 63405, "i2": 63340, "i3": 63374, "i5": 63389, "i6": 63431, "i7": 63450, "i8": 63469, "i9": 63483, "i10": 63511, "s1": 63361, "s6": 83874 } }, { "name": "Windows_Trojan_Nanocore_d8c4e3c5", "meta": { "author": "Elastic Security", "id": "d8c4e3c5-8bcc-43d2-9104-fa3774282da5", "fingerprint": "e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4", "creation_date": "2021-06-13", "last_modified": "2021-08-23", "threat_name": "Windows.Trojan.Nanocore", "reference_sample": "b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd", "severity": 100, "arch_context": "x86, arm64", "scan_context": "file, memory", "license": "Elastic License v2", "os": "windows" }, "strings": [ "NanoCore.ClientPluginHost", "NanoCore.ClientPlugin", "get_BuilderSettings", "LogClientException", "IClientLoggingHost" ], "addresses": { "a1": 63405, "a2": 63352, "b1": 83699, "b7": 83554, "b9": 63431 } }, { "name": "Nanocore_RAT_Gen_2", "meta": { "description": "Detetcs the Nanocore RAT", "author": "Florian Roth", "score": 100, "reference": "https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/", "date": "2016-04-22", "hash1": "755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050" }, "strings": [ "NanoCore.ClientPluginHost", "IClientNetworkHost" ], "addresses": { "x1": 63405, "x2": 63450 } }, { "name": "NETDLLMicrosoft", "meta": { "author": "malware-lu" }, "strings": [ "{ 00 00 00 00 00 00 00 00 5F 43 6F 72 44 6C 6C 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C 00 00 00 00 00 FF 25 }" ], "addresses": { "a0": 87502 } }, { "name": "IsPE32", "meta": {}, "strings": [], "addresses": {} }, { "name": "IsNET_DLL", "meta": {}, "strings": [], "addresses": {} }, { "name": "IsDLL", "meta": {}, "strings": [], "addresses": {} }, { "name": "IsConsole", "meta": {}, "strings": [], "addresses": {} } ], "cape_yara": [], "clamav": [], "tlsh": "T134A3490766CD6EAEDABD4638733307C6C328CE425953D6DE28D420659A3A7D33A033D6", "sha3_384": "a9b9993935da4f81da652c08d13476b1a9b1baf3bedb362f5ac175fc33b5fc213b0b5decb98df5aca700b0c7e41e316e", "yara_hash": "b833150b13e1662cfeb7589959edd288cf4e73710395ec5c5f2123f39a668f4d", "options_hash": "44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a", "pe": { "guest_signers": { "aux_sha1": null, "aux_timestamp": null, "aux_valid": false, "aux_error": true, "aux_error_desc": "No signature found.", "aux_signers": [] }, "digital_signers": [], "imagebase": "0x00400000", "entrypoint": "0x000173f2", "ep_bytes": "ff25002040000000000000000000", "peid_signatures": null, "reported_checksum": "0x00000000", "actual_checksum": "0x00025abf", "osversion": "4.0", "machine_type": "IMAGE_FILE_MACHINE_I386", "pdbpath": null, "imports": { "mscoree": { "dll": "mscoree.dll", "imports": [ { "address": "0x402000", "name": "_CorDllMain" } ] } }, "exported_dll_name": null, "exports": [], "dirents": [ { "name": "IMAGE_DIRECTORY_ENTRY_EXPORT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_IMPORT", "virtual_address": "0x00017398", "size": "0x00000057" }, { "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE", "virtual_address": "0x0001a000", "size": "0x00002f88" }, { "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_SECURITY", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC", "virtual_address": "0x00018000", "size": "0x0000000c" }, { "name": "IMAGE_DIRECTORY_ENTRY_DEBUG", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_TLS", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_IAT", "virtual_address": "0x00002000", "size": "0x00000008" }, { "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR", "virtual_address": "0x00002008", "size": "0x00000048" }, { "name": "IMAGE_DIRECTORY_ENTRY_RESERVED", "virtual_address": "0x00000000", "size": "0x00000000" } ], "sections": [ { "name": ".text", "raw_address": "0x00000200", "virtual_address": "0x00002000", "virtual_size": "0x000153f8", "size_of_data": "0x00015400", "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x60000020", "entropy": "6.94" }, { "name": ".reloc", "raw_address": "0x00015600", "virtual_address": "0x00018000", "virtual_size": "0x0000000c", "size_of_data": "0x00000200", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x42000040", "entropy": "0.10" }, { "name": ".rsrc", "raw_address": "0x00015800", "virtual_address": "0x0001a000", "virtual_size": "0x00002f88", "size_of_data": "0x00003000", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x40000040", "entropy": "3.34" } ], "overlay": null, "resources": [ { "name": "RT_ICON", "offset": "0x0001a208", "size": "0x000002e8", "filetype": null, "language": "LANG_NEUTRAL", "sublanguage": "SUBLANG_NEUTRAL", "entropy": "1.71" }, { "name": "RT_ICON", "offset": "0x0001a4f0", "size": "0x00000128", "filetype": null, "language": "LANG_NEUTRAL", "sublanguage": "SUBLANG_NEUTRAL", "entropy": "2.08" }, { "name": "RT_ICON", "offset": "0x0001a618", "size": "0x000008a8", "filetype": null, "language": "LANG_NEUTRAL", "sublanguage": "SUBLANG_NEUTRAL", "entropy": "1.72" }, { "name": "RT_ICON", "offset": "0x0001aec0", "size": "0x00000568", "filetype": null, "language": "LANG_NEUTRAL", "sublanguage": "SUBLANG_NEUTRAL", "entropy": "1.05" }, { "name": "RT_ICON", "offset": "0x0001b428", "size": "0x00000353", "filetype": null, "language": "LANG_NEUTRAL", "sublanguage": "SUBLANG_NEUTRAL", "entropy": "4.05" }, { "name": "RT_ICON", "offset": "0x0001b77c", "size": "0x000010a8", "filetype": null, "language": "LANG_NEUTRAL", "sublanguage": "SUBLANG_NEUTRAL", "entropy": "2.72" }, { "name": "RT_ICON", "offset": "0x0001c824", "size": "0x00000468", "filetype": null, "language": "LANG_NEUTRAL", "sublanguage": "SUBLANG_NEUTRAL", "entropy": "2.76" }, { "name": "RT_GROUP_ICON", "offset": "0x0001cc8c", "size": "0x00000068", "filetype": null, "language": "LANG_NEUTRAL", "sublanguage": "SUBLANG_NEUTRAL", "entropy": "2.69" }, { "name": "RT_VERSION", "offset": "0x0001ccf4", "size": "0x00000294", "filetype": null, "language": "LANG_NEUTRAL", "sublanguage": "SUBLANG_NEUTRAL", "entropy": "3.30" } ], "versioninfo": [ { "name": "Translation", "value": "0x0000 0x04b0" }, { "name": "FileDescription", "value": " " }, { "name": "FileVersion", "value": "1.0.1.7" }, { "name": "InternalName", "value": "SurveillanceExClientPlugin.dll" }, { "name": "LegalCopyright", "value": " " }, { "name": "OriginalFilename", "value": "SurveillanceExClientPlugin.dll" }, { "name": "ProductVersion", "value": "1.0.1.7" }, { "name": "Assembly Version", "value": "1.0.1.7" } ], "imphash": "dae02f32a21e03ce65412f6e56942daa", "timestamp": "2015-02-22 00:49:49", "icon": "iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAY0lEQVR4nO3XIQ6AMBBE0YH0eGuAcwKmZ1sLCkHRZUj4o9qaeVmzqfT3DJl5OAGjs1ySynWIiFeLa62SPjABAABK+7Cte9fCeZlud/sEAAAAAAAAADvgsY7bddk79gnwMSH2nLDUDvNx5OJLAAAAAElFTkSuQmCC", "icon_hash": "f66c7c86e9ab59ef3f289acd613a3738", "icon_fuzzy": "c3ca946d749a15ad18efd3e5d7b0d8f5", "icon_dhash": "454545d4d4d44503", "imported_dll_count": 1 }, "data": null, "strings": [ "#=qJMk2mm7JzMNLHm_qiokaBg==", "#=qdKcJdwMiOeYxOOef7tprPA==", "FileSystemInfo", "SurveillanceExClientPlugin.dll", "#=qj9ZxzplN98x0cw4vsdTIeAYbm4MuQTx3vvInSGv6TNQ=", "#=qmYO5ZdL8rYBU50vW2vu2vA==", "#=qNvC_NYQ$jxwZUcf0Dch28Q==", "#=q3$2Q8bGYuhwIzDGhDbeVKw==", "Concat", "MatchCollection", "Device", "wgdYBzhSP", "mscoree.dll", "get_Unicode", "DecodeDirectBits", "Environment", "0.0.0.0", "#=qSEueyU62hrm3SqHJ6k683A==", "#=q_DoWG6qBrmNj2sFXhHToddcMKO0wW3x6VUG0Xl$sx6Q=", "_Lambda$__2", "#=qCY4x0Hk1DV3VV540zoAoHq44QCRyxMpq9Z7J0uRDONc=", "AssemblyName", "Handle", "$+8)l", "WriteCoderProperties", "System.Collections", "DnsRecord", "#=qoESbzrXX757aiWupYaS0Fg==", "GetWindowThreadProcessId", "System.Resources", "\\3P0_", "GetProcessById", "set_Value", "#=qLoRN6X6HIt1Xa9meALla1w==", "#=qRLsSPguDZ2WiS_9q1jK0OA==", "feffeeffeefa", "kNumPosStatesBitsEncodingMax", "buffer", "9feffefeefef", "#=qXbC0g0j7eSDHrYXbfI7uUQ==", "numPosStates", "fefeffefefeYa*&+", "#=q1SKypGFVOvRWVSxnayoaZA==", "ffefeeffeefa", "#=qWJ6BottP3sy8x7gEdcb0bA==", "DNSLogging", "`Q[;*", "Int32", "#=qX9Iav0g17FfZrf$Wa_Z$UA==", "MethodBase", "?lg(*%", "#=q1gvzY2QJaRNC2Opj5zvkew==", "#=qQtYdx8zGiMcgHSZRdJY2eNz7X7jeIu77OE$6MbjGdow=", "Operators", "#=qkWsKP7N1mMxiLhNKbBGyYQ==", "OutWindow", "#Blob", "kNumPosStatesEncodingMax", "_CorDllMain", "#=qjuMRqjMOfCBSkBZ$qdWB7gfgShTNiHkLFmJMr9kwm2s=", "dictionarySize", "System.Text.RegularExpressions", "m_IsRepG1Decoders", "AddRange", "m_NumPosStates", "#=qitflJGbE1LvsFZhH2KI8iw==", "m_IsRepG2Decoders", "w,>XG", "FxtdFQ", "#=qLkA5Ktc2Vyv3E0oIB4RaGKVcXXSrFPOpFhegspshwsM=", "#=q3On07nwtezKDVaTvvy7hQw==", "System.Text", "DefaultMemberAttribute", "#=q_lmCRPO7dEMifptlI90PUI6fTs37DVMnLP3Tc_99pO9b_Ar2C6S3QjxXlqu$2$Ji", "Lzma#", "#=qMf1osOFZtYMmK9zzNx40rfvv_YoLwDp8OMEKs9fpung=", "*g!NC'O", "#=qwyZBd1E$zygsKRdrCM1tlg==", "#=qadlAy0ld3tNeu$IcI$2Jq_Arv7ASxtaLzDJHV4HhJlY=", "HideModuleNameAttribute", "_Lambda$__7", "Default", "#=qWmdtsGcuMivbk1JtTASVvg==", "recordList", "o M(d", "outStream", "#=qSseLs6pMe5FoflVo2bRqOQ==", "Wow64SetThreadContext", "rawInputDevices", "ToLower", "IsCharState", "SetDecoderProperties", "Boolean", "8.0.0.0", "q<+-T5", "#=qur7j1M5vHkSPasucOkbcNw==", "J{4!jpH", "Order", "SendMessage", "#=qBcPm_drbp7ocdEoXBCg55Q==", "pAB|\"", "Matches", "#=qbVZ2VGZYhcslyt7WOHvByg==", "#=qZrBp2zQvnJP1R2KqzmmR8A==", "#=qt5WsljHA_z4lWKJJiNRSEGCnAbuC8NDsfhiN_p8Vhq4=", "System.Security", "Resources.resources", "Exception", "td8V/", "Sleep", "#=q$eByR1alsjlxVI5xhSAtpg==", "#=qUvNuZD70A1m1h5rP8mt7hxHu6e1_lErn05OLHflfW_U=", "#=qMxv2Vlcc2Tp8j_uByDYyGJMxccShzf3B6SeYq7g7Daw=", "TimeSpan", "DecodeWithMatchByte", "Tc#Cf", "#=q0$8sFvWAj3Q5z0kt5$qL1A==", "GetString", "#=q2gdZtLtmxCrF2SEuXdll9g==", "#GUID", "#=qy7SdMitZjkIreiUV191vv9ssNSzMPuW8jMow5TTkIUU=", "AssemblyDescriptionAttribute", "afeffeeffefe", "#=qG_YyprUv4EKXjeIN$dVZHA==", "#=qlAdkkonfdPbm4KDS2op$vaZdX8byjv$LxAv$dtNhCYM=", "#=qiuuc1hm1qoPzINMXy6yo6g==", "_Lambda$__10", "Flush", "get_UserName", "#=qf$JSULqR8FwRBjD8O35M78CMWrW22oajqxT6WI8BsvY=", "#=qpQA5HetEkOqW8wCwEjKRvA==", "GetBytes", "& v5n4T", "#=qjPdKXesXFUYK$lTAuWfj4g==", "#=qZ8jdBbqDQs5U27LEbuhkeA==", "#=q2oxbm0Yzi5XQVj1QkCC71A==", "VUyP`\"", "StandardModuleAttribute", "#=qwJ4w0jkRVthW3ex8w5dly$cWay1Am4JSh9ZTwaXqcz4=", "kNumPosModels", "#=qFIAR8B1f$tNJs2xhTgINCnRaZkcxVSBxxXtjUtb7Whs=", "#=qMwDyeKYTOkSPK81Bwd7OY2mUhsDwOc5zugQnqg1ZfW0=", "#=qc3C7cwFHdA0fP9ewBftW90qaZ7YCZNSkeDx2JbA$rIM=", "GetLogs", "GetTypeFromHandle", "Split", "@3n'pA", "!FI};", "#=qr03MMh5pLoqsU2EEvN6ch6Tr7EGrL5c9eR_71qVrp$c=", ",{Uu\"p", "#=qxns0sTKVsgArVmXl3cFChFnM3Jv6Np_VftoasierUvg=", "get_Current", "#=qApHfpHzdRAuqPbkbKAzJmptqQgc7NLQ6T4N$H6aQHdw=", "4System.Web.Services.Protocols.SoapHttpClientProtocol", "FileMode", "#=qzx697Szk1moqO$yUynaioQ==", "#=qryghDdZnHsy$RagUj_T5aw==", "#=q3$4$aeeKw0G6KJpmbsHtCSC3$LdCNMfTzWNTjLVfIoU=", "System.Configuration", "$a58de1a4-5da5-48e4-8e57-197cc7b39b9b", "#=qT03bmh7uoc7QIggZX8722i59yRaiKXEb45q$FKk2uZY=", "GetForegroundWindow", "#=qfvCuRNoH9u00SSFFCvqZfg==", "Enumerator", "_Lambda$__1", "rangeDecoder", "#=qIxjnZll5GhllBN9b$ufZ3w==", "PasswordCommand", "Process", "#=qBvMiXP1hJ6VKxap1MxE0TUe8TQ47t0bgRFkWT_2Ymyk=", "#=q5sfq13B7vXg052uxfqu39g==", "CoderPropID", "]DB?w", "m_Decoders", "handle", "#=qBFvoYJt20gtsoLlWjU7jDuRfeDDIa87upzYCldwrNpI=", "headerSize", "GetLenToPosState", "lR7YPL", "#=qsV5K_71ZHH78FtoiXhsOYTV_Csv1aAdiiSCpj2X2l6o=", "#=qgHfmPA2gNKnydwzqeSF_2nVCUjp4Sfb3eJfQd$j975A=", "GetKeyboardLayout", "progress", "Microsoft.VisualBasic.CompilerServices", "prevByte", "ResolveEventHandler", "KeyboardCommand", "#=qt4h6_$cdnIG2g3BjEtlC9w==", "#=qZL$T$hC424exz5$sUQkm7w==", "#=qgC0tfaC3XL8FoOE$$1EOPjdVRTBNXr2NN6qMTkS_iSk=", "op_Equality", "PtrToStructure", "#=qmj_W3318X7UXjXz1JgFDnA==", "dnsapi.dll", "System", "CultureInfo", "#=qK8YSOZHQFwZhkU76$yIGwZGiGsr64hyFLs_9C0C9am4=", "#=qAQlIVHekXJrJwpDPrher5Q==", "_[&_C", "RawInputDevice", "#=qVa4dlGgXioIeYYgbx3$NvQ==", "~kItE", "m_DictionarySize", "DecodeNormal", "pvKSg&", "#=qPQ2EtheKurZp3OCkjzyyfQ==", "#=qCOMF0I9Fd3HxgGmFBDkurw==", "nextHandle", "#=qXtiqGLzJVH3aswCtlNNiug==", "MyGroupCollectionAttribute", "#=qrfNBcNMYeC4rLqwqMcn1jQ==", "CreateProcess", "#=qqLHT7hLUa1CKAG8LwjstJ5pArtyKEnkhPdyr1iCpbvQ=", "#=qU1ta1c$LOdIR6a7j6Rj67A==", "Group", "#=qKm6o1ledVqdR1Rw65bjQpA==", "MatchFinder", "ToByte", "#=qmHLlS2qqUAdmPyMYO7MoCg==", "UpdateChar", "#=q9kl5SZeUeIanHPXqH8Byvg==", "#=qg8F7l$fE22BW2JsfOcHpQA==", "Close", "#=qLt1igOtnjDbO40cq0340qg==", "#=qq9v5LklzRMUWeC0fX17u2w==", "7bocd", "#=q7SFZv3_X1jh__i0qS$yTrM3aMBoo7MMGOOAa9ltriPA=", "get_UTF8", "yz)X:", ",aNu^", "System.ComponentModel", "PADPADP", "SuppressUnmanagedCodeSecurityAttribute", "#=qqH0HzK5dpalJBOwa$wm3qg==", "ToString", "#=qyyoWizFgb3s$leRoJx8tVA6$nX314Se8B3eVLLvmYmg=", "#=qD_tmohqZXqQNhfRrQTYMfA==", "wwwwwwwwwwwwww", "`.reloc", "kNumMidLenBits", "#=qPS5ww9Qh4Qg1KnC9SiWQMg==", "LegalCopyright", "#=qgfJt9ZkqNp_s2eN$EF8lRoKBGN4LufTLNE1dmIBIf28=", "CompareString", "w,koK", "#=qykGtg3M9D9MTgOzaJO5xlg==", "(P~GY6*", "w,,p\\Rn", "#=qlZpTa_5oxuNhvwPl6FFKJg==", "#=qSq5zYE9oYXENFbc3V2Pe6w==", "kNumMoveBits", "_cX*n", "CompilerGeneratedAttribute", "#=qajec5milwVsqpbQNJ3pdAg==", "#=qE9U$URsu_c0Ig08qpeApRw==", "#=qxNAiPpjp2npMNB0TDaEubA==", "Equals", "#=qJuchJ7XfDSJXhX78ouEvSDi2Fm4IZfphEm1lxVR84W8=", "Extra", "#=qtdpI8mE0PC7HKAm0rggvhIxya1OU5XWEFr8n2AbzdwE=", "#=qbDWEs19y0rXNZJloHjyEAXFFSfYqbb6nrn10YnV15GU=", "inputBytes", "#=qyM4k7EGb5X12gk8YOkeNSQ==", "#=qkQ6DX9hRr8CpN4pCprp8dKTu5XpWEUA3fFuODRBQebM=", "SendTools", "#=q$ga0JQ2t4Nzt317dL7s1HA==", "#=qFiQXtwwrpPrf6i6Nohe$2A==", "#=qizSuKVUZWi22rIa8Z61Irg==", "ContextValue`1", "SetValue", "ResumeThread", "#=q6Yv$G4eHDn8gxVVQ7jH00Q==", "#=qaeAZ85IK9icf1hoO$eIUgQ==", "#=qTm4mE2BvwyQu9opBPZoYvABEXk1NdIbQ5LncPq_d5OQ=", "ApplicationLogging", "SetLiteralProperties", "#=qaGMznr3c$ok6TsLDKsBgpA==", "#=qsWLw4NosPP1gi5wOWkKQoz05m2lejq$6CuB$iOBB3AI=", "#=qGgwwpS30yt7z7wmA5NNa3g==", "_Lambda$__8", "#=qHJ9pmoIz378G1x0B31eH2CidaiOdV6DLfrtp1WQ35Q0=", "&&+%}!", "ReadChar", "4qiu%", "#=qNkF4$24brNGyMOYlUQj393pFEgGc7yicoZSTjZc2U_k=", "#=qt6bzCtEoNTvCkJX9j_4kZA==", "get_LParam", "#=qBTBFzfYdUs1kd$sDfT5Epz4Tl8141_7UIrCZjDszn5Q=", "v2.0.50727", "BlockCopy", "#Strings", "System.Collections.Generic", "#=q93VKpOIqdRN9spJigbfgrQ==", "#=q55q3lEdynyzHRQ573ELk9w==", "Ag<@+[", "#=qkz0tRkb9CLbnp8T0rNs8bD38RdjxjzMZ5i$ZzJHTh88=", "#=qquAKrvKQMWW7XtSurdlOiBConuNVZHvcIKParMXA0xo=", "#=qKdosTQrPrTm1tOzWi7_fuA==", "#=qfcadZftcNHMdcc$N_OWH5w==", "inStream", "ConnectionFailed", "Ru0=?+", "#=qTHk4ibx53ALvuTHC2wskqA==", "NtUnmapViewOfSection", "Replace", "windowSize", "set_Item", "!This program cannot be run in DOS mode.", "EmailClient", "get_Handle", "get_Msg", "GetTempPath", "#=qnWasDZNfCexjVbIXlOnpIw==", "ToInt32", "EndOfStreamException", "Compression.RangeCoder", "k,(|T", "#=qQJH4ux8HloTlAflsU0KOQw==", "_Lambda$__6", "DeleteLogs", "m_HighCoder", "RuntimeMethodHandle", "m_IsRepDecoders", "#=qSNORDi2PZ1IaS6Ix8w2Ovw==", "DirectoryInfo", "BuildingHostCache", "#=qsKOmOA5TX7dlM04qtgpOst$qgth3kf9KZZgdjC8x01c=", "Buffer", "#=qqj_P$pMjCtq2aNcNj2bfvufyGKfRlrOOaFr$XqaDVXU=", "#=qPiY_FtDE2jSdy0HqtmetjQ==", "#=qb3mKZgoJuDEsFa1T9bEUEXgvprlgegmeeniWKKiLI3E=", "value__", "#=qoqavODXRVVim6fghcoKuUg==", "GetValue", "#=qxTs7FlUCrQFGhk1vAwkrww==", "_stream", "m_PosMask", "#=q$lT2sqOctP5oFLjWBJEQs0BRL9aPnJgXluSQmhlzNCo=", "#=q4Jhplum5EMsDzltMg_L_tgoPjr8zzldX6k5uL$T8QHU=", "#=qJmGC3VRVk1ET7LjbQuMLjv1DeKxnDw1Daxs6uZ9$FGs=", "RuntimeCompatibilityAttribute", "h[S:<", "Download", "keyState", "numPrevBits", "SuppressIldasmAttribute", "CommandType", "CompilationRelaxationsAttribute", "fefeffeefXa*&+", "#=qzmbTPkKexQ8AS0E1MhJt4_A4SKpUh8ZeSD1Jy_XS9eM=", "ffefeeffe", "#=qTvTlfv6UWF8IdF6Zqmb35eNfTGusCMVLLnh6QIr8tfc=", "ffefeefeffe", "#=qr0WxpkU89pDBkkfgDoLSTA==", "#=qAtoFurjRifVD18ho1R1Dg_WU5nSHW_qH7pBxN8aFTXc=", "get_Count", "GetFrame", "@pd/\\", "#=qTSHkb7KjuVyqS$aEfJJbZSroTPY6PUlDcdx_paGstVs=", "J$xgm", "feffeefefa", "4.0.0.0", "properties", "#=qA_ED7VJLXZPPKs12VIDWHSI60qb9KWEC_8LLPE2krW0=", "#=qxwLQaLG4uRX$LJGVfSKAwQ==", "CreateInstance", "feffefefeY", "MultiThread", "message", "ProjectData", "count", "posState", "#=qv7_G63PaFeyDwnDCC1g_2ru4l8PEzEzyOErEaKVPipg=", "#=qHhkScXruXZT5J3Z7jSiQgw==", "Compression.LZMA", "kBitModelTotal", "UInt32", "#=q9Faq5VxEeRCgWA$Fv2CQA2jL$TcgdmVDlxlkstaRIog=", "_Lambda$__9", "!z4V0?U", "MoveNext", "Monitor", "MySettings", "#=q4$epyV0nlPzbnzRsMLPu97OYyrwjvDZ_OdEY8a656zU=", "ValueType", "Round", "#=qIkSGT4qbCtcFRC7mMAAYkk84I1ZFkrYif3TMjD7ZPA6BOJlmCB8mpgUoVIHLwXka", "System.Windows.Forms", "ResolveEventArgs", "ApplicationSettingsBase", "#=qczls24TWLmlr2uaF9Rt2wA==", "#=q29P5wT0RtOGJtLYYrVuOyQJYKodBvb_Va_4aXFXskAY=", "NextRecord", "JpWt*i*", "Delegate", "inSize", "&&*}R", "~B)^VO$", "#=qm6zrH0rCSTx0zj182i8NBQ==", "#=qZov5VwasIgllCy$iPN3DNw==", "#=q7rWPYdgZxY0QTmTQR2fgkA==", "user32.dll", "iiyAt", "b`*&+", "}uS(zOQ", "Assembly", "#=qoKX_5NDx$uDAqG3r2Qdnaw==", "GetThreadContext", "#=qWToN2VSuMj$dJ8jwWVWiOw==", "m_Choice2", "UInt64", "#=qxBa98CfPwuO0cLdTtVr3UZ7sHS6clgMQTcxeOGfq1S8n3UU_wXWw5dLM3IIxjN4D", "12.0.0.0", "#=qCourOFK6$KSegqeVRJ$n6Q==", "Stream", "T{K+d", "NanoCore.ClientPlugin", "#=q1WnXnf5Kn3oZdelfZ9atXg==", "IClientDataHost", "System.Reflection", "get_BuilderSettings", "_Lambda$__3", "#=qufNwmAe7HQFIL14z99jHZDphg_1JvBp18S4ZB_HYCGk=", "#=qG3u5K_RNSi5MmPk5qGfBKA==", "#=qJOuiYi3iPZ3uVqoeKGMDrA==", "ObjectFlowControl", "#=qyEh7zio04YwNJbA3DRAL$w==", "LT/a%u:", "#=qbnS0OHMEgVPpx0TYW6jRag==", "#=q8gDcBSsTQnbm3KE02hl7OA==", "&&+Y}C", "ISetCoderProperties", "lParam", "get_Name", "SetPosBitsProperties", "#=qBC03ja1g7$0w$eh2jRxaQNyDuxwUf4rZ75JN5N$kch8=", "m_IsRep0LongDecoders", "#=qtR8C6BNO$zdw_O10qjEjJt6JYi$bG2X1MWCDgpSA5qI=", "Create", "RuntimeTypeHandle", "#=qLIG6VCTYxG1r34UESHGfO1ahvp9wHKfNE5aXgNksRVfBCY8bC6m10KiOo8KoXWAp", "SeekOrigin", "WrapNonExceptionThrows", "bufferSize", "get_TotalMinutes", "#=qX35LozMOnZ3iEnR45ploWg==", "HB:9/", "DebuggerStepThroughAttribute", "#=qcxNEmoaEf7Zh660RKW2dVQ==", "#=qlvbeh6Dpr600MHBhM5FM6w==", "EditorBrowsableState", "#=qvSf5MwzG8n0SP5HzSY2_SA==", "MA1O@", "Int64", "#=qatkJDnqMuS21CiNfog8F1qvM$VR71IK88NPDErK$cCY=", "DestroyHandle", "processId", "Microsoft.VisualBasic.MyServices.Internal", "#=qOGgnVTQ4xQCpfQDFVMvxDA==", "aqhgV\"", "System.CodeDom.Compiler", "System.Globalization", "#=q9xDVujoZXiSgiL5U3Ms$Ldw_aEku$YcJRTx_3Mn7bUU=", "VirtualAllocEx", "#=qWOxGbcFRgf83Lr2nIvLxMhjnXfcYgGMTYJ7wrFJ4zpU=", "get_ClientSettings", "removeHandle", "IntPtr", "Double", "#=quC7pb_XLQy2zPy$IHptd3gII7RxTbEmajVwI2QM2uDw=", "#=qWAKUq9CUhmQBqBddF0P5WA==", "#=qTVgha2c6EXq6oFogWKkJ$Q==", "kStartPosModelIndex", "IEnumerator", "#=qjfIm1PIGR6WF2vcep8flyA==", "_streamPos", "Timer", "#=qULF9QYOA4w2wDOoaAUQxV_zVQ8z$1R9w4sOnYqGnVZM=", "Assembly Version", "5Hyt)", "#=qYZPuHqYnW$Jt8HuO33EgZYVEW2BLvhWvH6HqYkna1vM=", "SendToServer", "#=qHs51RKHMwfV41Mwh991L9yGwclD4RD8GoEI6P7yiHCQ=", "SurveillanceExClientPlugin", "KeyValuePair`2", "#=qGlAaJxWXqCLviqDPasqF_1pEmmsHiVpOlHTQMftJNnM=", "LenDecoder", "#=qEwOBNFc9PVbJeL2o1SylSw==", "Clear", "#=q9d$pwaibXpl6EYmDW3LQyA==", "m_Choice", "#=qYczMyu4Q4ODpJ8_8yaxacw==", "#=qyM8Yaoy9PKeQBcWclAVdrdWwWFIiXRRFb3afnMytprg=", "m_MidCoder", "WndProc", "m_LowCoder", "#=q0sFoUO5oar9qfDXWiIsjK8QBKipcWLJeZEeGAn3jKTY=", "#=qoSjdpFhHgKw4ZkLE7HcUsA==", "#=q_0ryHl9Z3pX6cTMt2fN0mgWhGzumbPaq9sRkBsl9r8EcjEOO0EVuY7FHYqQczjcm", "IDATx", "ntdll.dll", "InternalName", "EKL={", "#=qXt41o0joH7oimdyJLyAEgb0$SgCvft18unPo3p7oDZ4=", "#=qErALxYBxbcQx7$wpILZasQ==", "GetExecutingAssembly", "#=qWLNfsz9$tdJq5W5eUmCK3g==", "Decode", "Usage", "kNumLitPosStatesBitsEncodingMax", "#=qniVQeVyK34aPdgdXRnruaUQrXw0DTGkycv51vldfdvs=", "_Lambda$__5", "State", "LiteralDecoder", "ffefeeffe(q", "mFLGG", "MulticastDelegate", "ClientPlugin", "title", "ComVisibleAttribute", "LayoutKind", "w,D.F ", "\\eRsH~&()", "SQnYq", "m_PosDecoders", "EditorBrowsableAttribute", "ReleaseStream", "#=q6edtgiaCLUi7SoZ61U8urA==", "_buffer", "b`h*&+", "#=qWOXTw_dLcjSXp$GN$pp5S1OPD7ZPz6$b2UbsKnONIhg=", "GetText", "solid", "kNumLowLenBits", "ICoder", "DebuggerHiddenAttribute", "ConnectionStateChanged", "#=q8DCG8ySziWq86pz6M2Nm1Q==", "#=qqUu6BRNscFAOfPTSzNJT1w==", "#=qqq0n2rS1_M7ChN0lsGOjWw==", "Window", "get_TotalSeconds", "&&*}5", "#=qWtdqJYyYX8j6Z3apMuSRyQY12glbN$YmR9vdImzaIBw=", "#=qG4$BfgVthjPwAu6cOeCEdA==", "#=qOkM4_GL6iJytfvW8X1Vv0JdORs6j60y4sZk64fltjPs=", "scanCode", "#=qH37BJRRVPDZdt_HquyjQCGhaKFyNxp4uozln_BmzbFU=", "ffefefeeffe", "NumPasses", "#=qaiFlnK6gufs9y1Oc4GuIMH251NlpwpnIGxTExPappTg=", "Di'8f#", "#=qjGf0Fo7ouDsRFksxehS1LLJzkD032TzIZQYMCq6zXPU=", "kNumLenSymbols", "#=qxNhCtLFT$uaHlRVrjNRfgQ==", "#=qNOZ9w$DcFPd9SOpnZgS0RQ==", "#=q9d0qL0bhhHsukDDuSglJm4WCBbjzHE0Bbid8Pr0XWh0=", "MyTemplate", "ArgumentOutOfRangeException", "#=qV79mcqV34cKRcC07zX3EAg==", "#=qgf2HF0U91g7Z5r3b_DTKKen95XyoRNKhJT0tZAdh0qE=", "GetName", "ClearProjectError", "#=qBXqRL3Dv9U6yo_YJzVNueLigr3DbGSqr8_$nTSKtZ2s=", "StackTrace", "outSize", "#=qPvYrleetOagqdcI9DE5KLx58LE24Y4CctC7$504MDk4=", "#=qkt_liXOxhoHW1IdbL3VH8w==", "#=qh9ajRGk2_65Q3Jd9wgongg==", "['c*a", "ClientSettingChanged", "ThreadPool", "threadId", "ffefeeffeXa", "#=qt3y2qSp0dv0vJPWjVw3zrUaK5pF8MkrfIOVi6473g$4=", "RuntimeEnvironment", "#=qr01FMUeoBCjkEqS0Tv6eBA==", "ViewLogs", "#=qc7jxesQacILbzixeNG7FgVPmFPAfjvpvdnuAU2yopkw=", "#=qTDB6veXFhv3LJZPZLsXjAA==", "'b(?P", "StartsWith", "System.IO", "lS]@\\", "#=qa5bWbwMs799DVwO6Xd1rN3bJzFHKr4_gzkvb0x1jS4Fq$eNnm1UXtsC$gMpO485Q", "#=qynZM5QfSMAmkvPfv_N252H9sirBUdDlLNsjX68Ie$iw=", "-b&(f", "[@'s8", "StringBuilder", "get_FullName", "get_LastWriteTime", "#=qnsLPayfk95jd6qjcEgWvsg==", "#=qkJLhjNBL62x0Maq56Qyxvg==", "Regex", "GetFiles", "Invoke", "qL88<", "nC=\"kO", "#=qISpXJwqB9eU0aC9WFSg0Ng==", "ReadInt32", "ep&L2lT", "@o$?H{", "Remove", "#=qsbY2J0lq2mDKdHpdoqFbhILxgHjBTI3htQgLDLlw4tw=", "DateTimeKind", "#=qy62TL0vimm$9c8r9cknBlg==", "#=q7yeIS$Nxs6vRTxwkrC3NI7XBjBtanYpAY7F6lpVJMNs=", "get_WParam", "o3K=M", "#=q9MSpJ0C9gy1tNtiHMT0xuOhK0eh3XkuUCIUdV0CL_Vc=", "feffeeffefe", "#=qDryb$Lj81YuexT_kT546UteX3jn1a5MWE58jzYBzqzA=", "kNumAlignBits", "m_IsMatchDecoders", "vD|Jy", "get_DeclaringType", "#=q5LicbGLyNvYH7rAg86LLew==", "#=qd8PFK0o9ZmfLuRvVs5TueBqBiNJMAYg6mfAY7qPvztw=", "#=qILpIzHL2R4oZr_xuJ35Ks0Qv8efeDFq9$IysEjhmwb8=", "#=qXwgB3iQRF3f74mr47OcIXA==", "Format", "#=qbaeFrXHqfUmKDWhl$m1oW1YJ6aPS$T3nwSKQdfykURs=", "IClientUIHost", "K.^^0d", "Pd5iG", "#>6Mzf", "#=qbt21$tSdKp3amqFUQffN4g==", "#=qmAOt84hQOfmqpLQTy_m9Gw==", "MakeCode", "get_Chars", "w,uNm", "#=qJLhNEnVZH5g1ZqJMJz$RzYGuUiBvJ7jvAqqxd1jmI9w=", "SetThreadContext", "fefeffefefe", "#=qoOW0Qs7uLOIFAgZnF5WYag==", "IClientNetworkHost", "get_TickCount", "KeyboardType", "AssemblyCompanyAttribute", "ResourceManager", "_Lambda$__4", "RawInputHeader", "fefeffeefY", "#=qfGRrfgRh9ShPgCgw1WBGlA==", "UsagePage", "#=q8kI8WUAO3EIwh$dDbLO4hBJVnsPN1Kf$8oLzDKgLItY=", "GetEnumerator", "m_PosStateMask", "GetPublicKeyToken", "defaultInstance", "Dispose__Instance__", "kNumPosStatesBitsMax", "y/Tbb3", "#=quNCOqLbHCNvjlAK7Bf3cDbhyHY_4LIdtbLCWmQ_qI5Y=", "#=qcoWy4j$hfMjQGUjg7sMLcA==", "#=qqAcSxqYR8KvfnXGv78vSLpHnokxYmR2kdhuhJW9_ry8=", "#=qamafmS78hoJBlTvbicCkog==", "#=qFFTan1UEcEUWGr2OOrOYjJGYp4rAAjZjzwTWUS0rVrw=", "#=qph0dM8ScBo399Qc8dFf7SlZHZ5$T9MiuQgUb1gNxX6w=", "#=qafWoeWm0EJ5rJHlvMm4iDkNn$EYGciEBRwJDLt7$nbQ=", "#=qVJN_4jIyRrZ5yAy$Rn5RLinbGCq7szN2kXQqx5f3mq0=", "ReadAllText", "tuerl", "ToArray", "#=qbXdnCoLjynzf7IU_sWtIxQ==", "get_CurrentDomain", "FileAccess", "#=qnkToepswNMS8gbnXEvMwzMYEEKNiPU5uDsX9dRhrWNQ=", "m_Coders", "get_Default", "get_IsAbsoluteUri", "LitPosBits", "4#Q22", "Empty", "#=q6PBQzT2s0OXAPNX0HyA9nA==", "get_MetadataToken", "GetCallingAssembly", "ReadPacket", "#=qB_ief8yBaOrLHFWAY1qqaBDkGFE5diWAXZyimYvjzkY=", "MapVirtualKeyEx", "GetWindowText", "BU2l$", "#=qrrF6$_dvEtwtuQKnJBulHA==", "#=q$SxR33u2B2QKyvTy6OUx3VUEnsU1BBIwrFbNm_dTmvc=", "#=qQ0_U51a7sN5obfKsBtIlCA==", "Int16", "WaitCallback", "LogToServer", "#=qjw6ERKjxRJyhmlKKhTbkm3qZjjnDTqlES7REqNxqUOg=", "get_Item", "UInt16", "#=qyGd52xKGg1UK99QpoNpdz9dSKN3tgIE6mEvh5axkN4DdSC0KoH7ndNvZZfDKjIAY", "Mz&?8", "ffeeffefeef", "#=qy7iFFOCv78505n$_BrNPxRrFO5LEklS7ID6JkyE1sJ0=", "wParam", "maxLength", "fefefeffe_-", "get_Now", "kernel32.dll", "kEndPosModelIndex", "#=qBUViwm1Wzov4U2EcqfWHEYm9yRhCdBkuxxjXALmkpzo=", "#=qVSN1Lpi9mDmMGgmaAHvebQ==", "get_Size", "get_Variables", "pI,4711", "AssemblyTitleAttribute", "#=qhXmGn2CELzUWoG0JCIbI4w==", "#=qUto48Jl62GtgsCwHVL7Hgg==", "Delete", "Dictionary`2", "#=q0XvCVIzf4UbwwbesII8AcyVgrM$fv_y6$FjnV7yW05Q=", "IJxFC", "-H%a=", "get_BaseStream", "#=qkyQiUlPlMKotWknoHqlomhKQpOjgRch0EcZ31P06MMc=", "Dispose", "4UH@9JE", "B.rsrc", "matchByte", "TimerCallback", "fefeffeeffe", "MYkv[", "#=qjTb0yKP0PvX_$sNLZrWc3SrhKi2B8TapGYB0qQ_d2ic=", "NumFastBytes", "#=q2ps$7ibfUjB8cShObHpkOw==", "GetRawInputData", "GeneratedCodeAttribute", "#=qGbx9gQEhahxfxQgVR1WKYA==", "kNumLitContextBitsMax", "#=q1E8O4JTltplIX9hIlv2U_fvNRBdciVrREW4_qwWnAG8=", "#=qrGwSUb5xTQIFyn575GZnPg==", "#=qeRlDn71ka07USXFfJJUR2tjdNrp$C8rMYT7zAiVKaFY=", "#=qho_BPlTxogZ6unjnM3aUEA==", "qKsP&", "#=qjnoznhVPIrOVW7AdFC20oQRiO8PwCQlyil8yL1Vu$kM=", "KeyboardLogging", "u[AF7NM", "#=qO6x5ewjr4GGgRnaDV90ZlA==", "DnsGetCacheDataTable", "GetByte", "#=qXaCFAlCJk0zL$1TRW78z2TZB6TE_kmNEDibtTaGwApE=", "op_Subtraction", "de!#%d", "#=qMUhpaeAQYPZGtrQ6m5D8$T6a5UohdjKBly_QCCrNbic=", "#=qYf8VVQYyVIBbHqbd$XL$cA==", "Decompress", "\"zD_2", "qHF>7K", "#=qyJGUlE1_rLpfgGH0HVA4uA==", "#=qzk3NeGOwuEBmY8yfhx9RGeCtT3ElsluQSWlGax0FSTg=", "layout", "#=q463flxIG4yBvVk$L2nY$rA==", "#=qkArXx5faq_yiVVDZVy8zPg==", "#=qh0PZD5Xzw4GYzrxwVJgNXdBLljub_GVfhqf6qMZuuOM=", "#=q_kf6X0FJYJ49vkYU3o4hF4ABiUFCz_wIANIlPo9Wtqg=", "#=qZDfXudm0$xsDWCHGELpd5JJQykxvZE2iCT02xHzYWZs=", "BinaryWriter", "#=qm8f9k1aXVtORA4naJCkxW5anSegBcHo_NtygLkyg$zI=", "#=q4w8mBBo92N6vPz_rEq4NCg==", "feffefeefef", "#=qGqoN6NYMG6qhAx_trPC_ossyh4syAKivlJ4ofRtY1Bc=", "ICodeProgress", "String", "#=qU5Uv$YfWv4YU_tU0WnuWRQ==", "#=qm6w5$AGhTmDiKS6fDc_8lQ==", "kTopValue", "Append", "numBitLevels", "#=qwRLyHsQEgr3hVfF8nnZ7KA==", "#=qia6Q_CLWGyNlq5m_x$gzsg==", "get_Host", "Yaa*&+", "Range", "#=qUByjqwT1e89jxnX_MQXMWbKNidprz_QzC__AUDqY7Uc=", "#=qt8g2vpq5xuzYmHVNoc4aRQ==", "#=q5B2i_ZFG$fkyLcTMcIhd9w==", "QueueUserWorkItem", "GetObjectValue", "#=qhketRNLRWT8CVAmblf0IwOvCoFFzVqRP3cb74HV_KhA=", "ChangeExtension", "#=qmhUzkJg2ExNnbX_5KEDmiQ==", "#=q4XS3XWwqg0cYnVCF1ZC2NbwZSfEBY5biSs$73sq9_qY=", "kNumFullDistances", "#=q_EpKD6Wcn8v1q27F7Au3V2_q9nsNwbRHldZOuKkGS9M=", "GetRandomFileName", "&&*}8", "#=q5g$eC0ljHvRuQ5Sjg8qhXD5ifXDj39Cm6o39Y5BwaAc=", "#=qLpgJeYVNxM5InVOGfQCJgQGoJXhVBZL78RSpTucm8vM=", "", "#=qR6XN5QQYUNdzcxSpOeojXw==", "#=qRkVCQkwYopuW3FhsOB8R7Q==", "distance", "X!RF,", "V\\CDo", "#=q79jR0bJe_Ob_U2hce_Wy2KY4qSDCR$4x41oNq35cm3Y=", "#=qay1xmyx9Oqat62Q8L3hW8g==", "ContainsKey", "GetState", "#=qGvdgcYjJPldjZjV15YO1AQ==", "ContainsText", "#=qKkT5k_oMJ5jlOboYqGKerA==", "System.Diagnostics", "Marshal", "IClientNameObjectCollection", "SetProgress", "kNumStates", "#=qZDaMo8z4aSDSIJR8FYpOIWr2QgacQNuQzvtxGLdfriI=", "#=qE$fiW9I$YR8wzvprmP6GMg==", "IEnumerable`1", "ReadProcessMemory", "numPosBits", "#=qZVAY6xaoFDtd779Ohye_i7puUwiqn0vUdRn2mygGXjk=", ".ctor", "SetProjectError", "\"!&%'%8797:7;7", "#=q6cFrjMmsBzZaHdwkK64MvIJCVps43s79Zoc5jAQQ3B0=", "UpdateRep", "LogClientException", "rawInput", "DebuggerNonUserCodeAttribute", "#=qTmPD_08CamgMljHM9Dk1O8BoSybsXHEUiOmZnlrjslQ=", "#=qncI$$cNGF5Pots4RoA2KEQ==", "InternetBrowser", "StringReader", "AddDays", "ReferenceEquals", "GroupCollection", " :hu'a", "CLSCompliantAttribute", "virtualKey", "get_Groups", "Reserved", "1(:>/", "#=q3i4wls3IHcjOio705aCSHg==", "DataLength", "AsyncCallback", "#=qiw21QRsOuXRsr0EoFXe6yg==", "", "StructLayoutAttribute", "UriKind", "#=qbb8M4CbvbU9dtw7rljxsOgowhtC_M0HHHYDQvfbewMA=", "!:6=?J", "SizeOf", "Conversions", "numTotalBits", "Synchronized", "%B!eu", "StackFrame", "RegisterRawInputDevices", "FileVersion", "Decoder2", "ClientInvokeDelegate", "get_Key", "CreateHandle", "m_IsRepG0Decoders", "BitTreeDecoder", "CheckForSyncLockOnValueType", "IClientNetwork", "#=q4Nr8w$2KKfb5UztnulwYRg==", "kDicLogSizeMin", "PipeCreated", "Intern", "`.rsrc", "AssemblyFileVersionAttribute", "System.Threading", "ffefeeffea", "UpdateMatch", "Encoding", "IsNullOrEmpty", "#=qkmhFErk5YMKo51GKKlhE9g==", "StringFileInfo", "m_NumPrevBits", "LitContextBits", "Write", "GetRecords", "#=qrs1kHm2Vk1lgdS_uku1L9g==", "#=qMJgjQNh1HDTnQhoJXfa0WA==", "ReverseDecode", "AssemblyProductAttribute", "#=qPRgfS7lOTcyHKSlbB8xgkA==", "Microsoft.VisualBasic", "AppDomain", "#=qT1akwluU_CPHm0nhoKf6Rw==", "#=qfisk2$Joqzyumzd6fh2dOQ==", "get_Length", "#=qvfRcdVwrMsCxkiqADFMhLstfJFNrXezVOSkR7LYl6_c=", ".(\\iF", "#=qhY91O0Ehtf92oxnuh2FVz3zwgJyjBwDokEEXjvLvO6Q=", "feffefefefehah", "Win32", "z0v{1*", "#=qvvwoAYTFwjESTUFg0fNF7SLde7qYhx8qSoPZyr3HMfc=", "Contains", "BinaryReader", "ToInt16", "L269a", "VariableChanged", ",?eg!", "#=qQqcsGt5b2PDsslTZJ$dt_mKNdeXa0POgZBx5R0LjlPM=", "#=qw9VSFm68B5Ljl$xHUUa_Hw==", "get_Assembly", "FileInfo", "#=qbbS2gH77jp8FUp6F13JpY6MGDSb9v3gnCOBNgbF7cVA=", "GetHashCode", "kAlignTableSize", "m_OutWindow", "m_DictionarySizeCheck", "#=qpQr3Y9fGkwa$qRqPoCizPZ9VR0dem4a4NMuT_i6c3sQ=", "#=qUZFlYoOocheA6eC84I2B1Q==", "MemoryStream", "3System.Resources.Tools.StronglyTypedResourceBuilder", "#=q7_TpaeFTuHRPDnfbdnzhMw==", "IsControl", "SettingsBase", "Change", "#=qXH69A$_8u_BEH$6TuzFn6w==", "m_RepLenDecoder", "#=q5kTowhAuuSOCKCKI6_gw5Q==", "Activator", "#=qrrUz6hC0NPP229srrATMtK3maxNKi2E6oaUoFmACl9I=", "DnsCommand", "wisxa", "GetKeyboardState", "Flags", "#=qVmsOOzNjkaQuSyIKz50umg==", "OriginalFilename", "BitDecoder", "#=qeZCoccI3yJdWJ3ayrHW$WA==", "kNumLenToPosStatesBits", "UpdateShortRep", "#=q7xw_62wJAROEdfmrcOfU9A==", "#=qGPyC5Xsppd3A9GM1nbF6UA==", "#=qz_b1L2sFeS3InI52Fcb$xw==", "WriteProcessMemory", "kNumBitModelTotalBits", "#=qhe3YBArn2XZllRv5mtI$IA==", "-7& G", "ToUnicodeEx", "-=&~L", "System.Runtime.InteropServices", "w`TeE", "#=qUUTENRjCs2Tp8v$UkD2pyj$_WERyijyYrwjs9ap51Bc=", "#=qYnC$MeSjL22yOmZmIH9O5Q==", "flags", "add_AssemblyResolve", "SetCoderProperties", "Rz4Zy", "Decoder", "#=qA6W6GWeKbpqYNXHHn0NOqQ==", "GetManifestResourceStream", "VS_VERSION_INFO", "#=qxPKYwApYHsDUAngYujXcMg==", "feffeefeffe ", "ISetDecoderProperties", "Combine", "Create__Instance__", "ffeeffefehah", "Computer", "#=qHULrE3ucj3pP3z4Q8AHNQ6f7gkmXn_0Fohqp275LJtI=", "m_LenDecoder", "ApplicationBase", "#=qL4z9que7yasXNRV3gE808Q==", "EndMarker", "#=qbxOnQHmVH_9KW47BBLVbiw==", "ReadString", "TmYM>K", "E'Y=u", "#=qps$_CRy8QN3tD8_cpxbl5Q==", "#=qOB8cEznqDkvIxRcccHlIsv7sC6k2hObkCZSKdkJ_Zsk=", "#=qv$8E8sC6lJIPtd2$JZCylw==", "startIndex", "List`1", "Object", "kNumHighLenBits", "AssemblyCopyrightAttribute", "DefRawInputProc", "1.0.1.7", "w,X8WD", "#=q4JDS1p4qILBfxV6iYzPvew==", "#=qG0TXdiUc5RapAeqxDJArye7UrdqGI4sA16AWYfcrCf0=", "Lzma#.dll", "fefefeffe", "StringSplitOptions", "#=qMaYcsaYwkZMTqb1yZLawvsT_RxwqTAeocZdt0axWTAI=", "#=qtnUi7yodyLqv1sucEHesww==", "#=qj4ZL7Xa5Jh3aXGsDJ8nwq9Ol$7j95Q2WIH6RXdknYOM=", "get_Value", "Compression.LZ", "PosStateBits", "#=qCqIROk23BL$5SZnsNcMGzw==", "get_ProcessName", "NanoCore.ClientPluginHost", "m_PosAlignDecoder", "#=qgvFUiZFJ0DnA4jPHJSI0$g==", "Header", "afefefeffe", "SetClipboardViewer", ".cctor", "NativeWindow", "#=qp0rjqvRPFB117u1oIM8eyg==", "#=qNwsNe80RUFvWuBVxKYH7CdkcJCEYrUuUzsDzmfG3Y0f_hVViDx0xK8xqdS9y79EZ", "Enter", "#=qMb7ah3f2LZnw5uZZ2MwFiVVbfzLytVjDFOGKjr3$eXM=", "#=q7ZvQqMWc8EiVYIemfr8kugujhdIVidtkVJrdNaMKkMY=", "#=qnKfe8RVyBZnzTVIYVRXs3lz7$G7e6QuPxi3Jx3scwJ4=", "PipeClosed", "#=q8PUUaAp4ut016MmvuKrU1A==", "Message", "#=qcYLUomKQ3VHSKmjKloHutA==", "Array", "#=qdLYSf0D2H54oOFJ36kM4Rg==", "Microsoft.VisualBasic.ApplicationServices" ], "virustotal": { "error": true, "msg": "VT File lookup disabled in processing.conf" }, "executed_tools": [ "overlay", "msi_extract", "kixtart_extract", "vbe_extract", "batch_extract", "UnAutoIt_extract", "UPX_unpack", "RarSFX_extract", "Inno_extract", "SevenZip_unpack", "de4dot_deobfuscate", "eziriz_deobfuscate", "office_one" ], "cape_type_code": 0, "cape_type": "" } }, "procdump": [ { "name": "b7b4d47ba3fc76015fb8c7bb34b6d87f0458375f59d8e89b6a9569948044976b", "path": "/opt/CAPEv2/storage/analyses/49/procdump/b7b4d47ba3fc76015fb8c7bb34b6d87f0458375f59d8e89b6a9569948044976b", "guest_paths": "1;?C:\\Windows\\SysWOW64\\rundll32.exe;?C:\\Users\\cape\\AppData\\Local\\Temp\\01e3b18bd63981decb384f55.dll;?", "size": 88064, "crc32": "90EE3418", "md5": "b2d1c7f2f757a3c21bc50dddfb79a3ac", "sha1": "0626690cebbdd647588dcf1afb25a47e6cc7ac1e", "sha256": "b7b4d47ba3fc76015fb8c7bb34b6d87f0458375f59d8e89b6a9569948044976b", "sha512": "aa44ea92a8fecf9846150103a9887ece7b6371588c3e3fb8b65a0c5a5477bc92795cca94d78657a05d9ef67979bdd5d279eac6b26bb9086f1836ac2cefb31aae", "rh_hash": null, "ssdeep": "1536:Em7D0nfqF4xcRR+41CbiPVJZQyF+k6QF+miGb+9YBERRfCgR0U0T1b:Em7DYfm4SRR+NaVEs+k6kiS+94ERR6gs", "type": "PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows", "yara": [ { "name": "DITEKSHEN_MALWARE_Win_Nanocore", "meta": { "description": "Detects NanoCore", "author": "ditekSHen", "id": "931b98f6-df2b-538b-bc49-ecbbd24334da", "date": "2020-11-06", "modified": "2024-11-01", "reference": "https://github.com/ditekshen/detection", "source_url": "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7654-L7681", "license_url": "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt", "logic_hash": "6336260e0af2b4b51338ee066f41b7c58aa134a6c03ca110db7e088edf2b65a7", "score": 75, "quality": 75, "tags": "FILE" }, "strings": [ "NanoCore.ClientPlugin", "NanoCore.ClientPluginHost", "IClientData", "IClientNetwork", "IClientDataHost", "IClientLoggingHost", "IClientNetworkHost", "IClientUIHost", "IClientNameObjectCollection", "IClientReadOnlyNameObjectCollection", "ClientPlugin", "get_ClientSettings" ], "addresses": { "x2": 63864, "x3": 63917, "i2": 63852, "i3": 63886, "i5": 63901, "i6": 63943, "i7": 63962, "i8": 63981, "i9": 63995, "i10": 64023, "s1": 63873, "s6": 84386 } }, { "name": "Windows_Trojan_Nanocore_d8c4e3c5", "meta": { "author": "Elastic Security", "id": "d8c4e3c5-8bcc-43d2-9104-fa3774282da5", "fingerprint": "e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4", "creation_date": "2021-06-13", "last_modified": "2021-08-23", "threat_name": "Windows.Trojan.Nanocore", "reference_sample": "b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd", "severity": 100, "arch_context": "x86, arm64", "scan_context": "file, memory", "license": "Elastic License v2", "os": "windows" }, "strings": [ "NanoCore.ClientPluginHost", "NanoCore.ClientPlugin", "get_BuilderSettings", "LogClientException", "IClientLoggingHost" ], "addresses": { "a1": 63917, "a2": 63864, "b1": 84211, "b7": 84066, "b9": 63943 } }, { "name": "Nanocore_RAT_Gen_2", "meta": { "description": "Detetcs the Nanocore RAT", "author": "Florian Roth", "score": 100, "reference": "https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/", "date": "2016-04-22", "hash1": "755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050" }, "strings": [ "NanoCore.ClientPluginHost", "IClientNetworkHost" ], "addresses": { "x1": 63917, "x2": 63962 } }, { "name": "NETDLLMicrosoft", "meta": { "author": "malware-lu" }, "strings": [ "{ 00 00 00 00 00 00 00 00 5F 43 6F 72 44 6C 6C 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C 00 00 00 00 00 FF 25 }" ], "addresses": { "a0": 88014 } }, { "name": "IsPE32", "meta": {}, "strings": [], "addresses": {} }, { "name": "IsNET_DLL", "meta": {}, "strings": [], "addresses": {} }, { "name": "IsDLL", "meta": {}, "strings": [], "addresses": {} }, { "name": "IsConsole", "meta": {}, "strings": [], "addresses": {} } ], "cape_yara": [], "clamav": [], "tlsh": "T10E83AF086B88867FCFAE977D6052164A5371C297AC93E7DA3CA444B50F67BE007432E7", "sha3_384": "1ff9e5e74e3ed5436d4d59f1fcd90850089309c8d8ed12e7f3df5b08690e515ac61d24213f718276edb486a1b9ccb7f1", "yara_hash": "b833150b13e1662cfeb7589959edd288cf4e73710395ec5c5f2123f39a668f4d", "options_hash": "44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a", "pe": { "guest_signers": { "aux_sha1": null, "aux_timestamp": null, "aux_valid": false, "aux_error": true, "aux_error_desc": "No signature found.", "aux_signers": [] }, "digital_signers": [], "imagebase": "0x00400000", "entrypoint": "0x000173f2", "ep_bytes": "ff25002040000000000000000000", "peid_signatures": null, "reported_checksum": "0x00000000", "actual_checksum": "0x0001c577", "osversion": "4.0", "machine_type": "IMAGE_FILE_MACHINE_I386", "pdbpath": null, "imports": { "mscoree": { "dll": "mscoree.dll", "imports": [ { "address": "0x402000", "name": "_CorDllMain" } ] } }, "exported_dll_name": null, "exports": [], "dirents": [ { "name": "IMAGE_DIRECTORY_ENTRY_EXPORT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_IMPORT", "virtual_address": "0x00017398", "size": "0x00000057" }, { "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE", "virtual_address": "0x0001a000", "size": "0x00002f88" }, { "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_SECURITY", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC", "virtual_address": "0x00018000", "size": "0x0000000c" }, { "name": "IMAGE_DIRECTORY_ENTRY_DEBUG", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_TLS", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_IAT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR", "virtual_address": "0x00002008", "size": "0x00000048" }, { "name": "IMAGE_DIRECTORY_ENTRY_RESERVED", "virtual_address": "0x00000000", "size": "0x00000000" } ], "sections": [ { "name": ".text", "raw_address": "0x00000400", "virtual_address": "0x00002000", "virtual_size": "0x00016000", "size_of_data": "0x00015400", "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE", "characteristics_raw": "0xe0000020", "entropy": "6.94" }, { "name": ".reloc", "raw_address": "0x00015800", "virtual_address": "0x00018000", "virtual_size": "0x00002000", "size_of_data": "0x00000000", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x42000040", "entropy": "0.00" }, { "name": ".rsrc", "raw_address": "0x00015800", "virtual_address": "0x0001a000", "virtual_size": "0x00004000", "size_of_data": "0x00000000", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x40000040", "entropy": "0.00" } ], "overlay": null, "resources": [], "versioninfo": [], "imphash": "dae02f32a21e03ce65412f6e56942daa", "timestamp": "2015-02-22 00:49:49", "icon": null, "icon_hash": null, "icon_fuzzy": null, "icon_dhash": null, "imported_dll_count": 1 }, "data": null, "strings": [ "#=qJMk2mm7JzMNLHm_qiokaBg==", "#=qdKcJdwMiOeYxOOef7tprPA==", "FileSystemInfo", "SurveillanceExClientPlugin.dll", "#=qj9ZxzplN98x0cw4vsdTIeAYbm4MuQTx3vvInSGv6TNQ=", "#=qmYO5ZdL8rYBU50vW2vu2vA==", "#=qNvC_NYQ$jxwZUcf0Dch28Q==", "#=q3$2Q8bGYuhwIzDGhDbeVKw==", "Concat", "MatchCollection", "Device", "wgdYBzhSP", "mscoree.dll", "get_Unicode", "DecodeDirectBits", "Environment", "0.0.0.0", "#=qSEueyU62hrm3SqHJ6k683A==", "#=q_DoWG6qBrmNj2sFXhHToddcMKO0wW3x6VUG0Xl$sx6Q=", "_Lambda$__2", "#=qCY4x0Hk1DV3VV540zoAoHq44QCRyxMpq9Z7J0uRDONc=", "AssemblyName", "Handle", "$+8)l", "WriteCoderProperties", "System.Collections", "DnsRecord", "#=qoESbzrXX757aiWupYaS0Fg==", "GetWindowThreadProcessId", "System.Resources", "\\3P0_", "GetProcessById", "set_Value", "#=qLoRN6X6HIt1Xa9meALla1w==", "#=qRLsSPguDZ2WiS_9q1jK0OA==", "feffeeffeefa", "kNumPosStatesBitsEncodingMax", "buffer", "9feffefeefef", "#=qXbC0g0j7eSDHrYXbfI7uUQ==", "numPosStates", "fefeffefefeYa*&+", "#=q1SKypGFVOvRWVSxnayoaZA==", "ffefeeffeefa", "#=qWJ6BottP3sy8x7gEdcb0bA==", "DNSLogging", "`Q[;*", "Int32", "#=qX9Iav0g17FfZrf$Wa_Z$UA==", "MethodBase", "?lg(*%", "#=q1gvzY2QJaRNC2Opj5zvkew==", "#=qQtYdx8zGiMcgHSZRdJY2eNz7X7jeIu77OE$6MbjGdow=", "Operators", "#=qkWsKP7N1mMxiLhNKbBGyYQ==", "OutWindow", "#Blob", "kNumPosStatesEncodingMax", "_CorDllMain", "#=qjuMRqjMOfCBSkBZ$qdWB7gfgShTNiHkLFmJMr9kwm2s=", "dictionarySize", "System.Text.RegularExpressions", "m_IsRepG1Decoders", "AddRange", "m_NumPosStates", "#=qitflJGbE1LvsFZhH2KI8iw==", "m_IsRepG2Decoders", "w,>XG", "FxtdFQ", "#=qLkA5Ktc2Vyv3E0oIB4RaGKVcXXSrFPOpFhegspshwsM=", "#=q3On07nwtezKDVaTvvy7hQw==", "System.Text", "DefaultMemberAttribute", "#=q_lmCRPO7dEMifptlI90PUI6fTs37DVMnLP3Tc_99pO9b_Ar2C6S3QjxXlqu$2$Ji", "Lzma#", "#=qMf1osOFZtYMmK9zzNx40rfvv_YoLwDp8OMEKs9fpung=", "*g!NC'O", "#=qwyZBd1E$zygsKRdrCM1tlg==", "#=qadlAy0ld3tNeu$IcI$2Jq_Arv7ASxtaLzDJHV4HhJlY=", "HideModuleNameAttribute", "_Lambda$__7", "Default", "#=qWmdtsGcuMivbk1JtTASVvg==", "recordList", "o M(d", "outStream", "#=qSseLs6pMe5FoflVo2bRqOQ==", "Wow64SetThreadContext", "rawInputDevices", "ToLower", "IsCharState", "SetDecoderProperties", "Boolean", "8.0.0.0", "q<+-T5", "#=qur7j1M5vHkSPasucOkbcNw==", "J{4!jpH", "Order", "SendMessage", "#=qBcPm_drbp7ocdEoXBCg55Q==", "pAB|\"", "Matches", "#=qbVZ2VGZYhcslyt7WOHvByg==", "#=qZrBp2zQvnJP1R2KqzmmR8A==", "#=qt5WsljHA_z4lWKJJiNRSEGCnAbuC8NDsfhiN_p8Vhq4=", "System.Security", "Resources.resources", "Exception", "td8V/", "Sleep", "#=q$eByR1alsjlxVI5xhSAtpg==", "#=qUvNuZD70A1m1h5rP8mt7hxHu6e1_lErn05OLHflfW_U=", "#=qMxv2Vlcc2Tp8j_uByDYyGJMxccShzf3B6SeYq7g7Daw=", "TimeSpan", "DecodeWithMatchByte", "Tc#Cf", "#=q0$8sFvWAj3Q5z0kt5$qL1A==", "GetString", "#=q2gdZtLtmxCrF2SEuXdll9g==", "#GUID", "#=qy7SdMitZjkIreiUV191vv9ssNSzMPuW8jMow5TTkIUU=", "AssemblyDescriptionAttribute", "afeffeeffefe", "#=qG_YyprUv4EKXjeIN$dVZHA==", "#=qlAdkkonfdPbm4KDS2op$vaZdX8byjv$LxAv$dtNhCYM=", "#=qiuuc1hm1qoPzINMXy6yo6g==", "_Lambda$__10", "Flush", "get_UserName", "#=qf$JSULqR8FwRBjD8O35M78CMWrW22oajqxT6WI8BsvY=", "#=qpQA5HetEkOqW8wCwEjKRvA==", "GetBytes", "& v5n4T", "#=qjPdKXesXFUYK$lTAuWfj4g==", "#=qZ8jdBbqDQs5U27LEbuhkeA==", "#=q2oxbm0Yzi5XQVj1QkCC71A==", "VUyP`\"", "StandardModuleAttribute", "#=qwJ4w0jkRVthW3ex8w5dly$cWay1Am4JSh9ZTwaXqcz4=", "kNumPosModels", "#=qFIAR8B1f$tNJs2xhTgINCnRaZkcxVSBxxXtjUtb7Whs=", "#=qMwDyeKYTOkSPK81Bwd7OY2mUhsDwOc5zugQnqg1ZfW0=", "#=qc3C7cwFHdA0fP9ewBftW90qaZ7YCZNSkeDx2JbA$rIM=", "GetLogs", "GetTypeFromHandle", "Split", "@3n'pA", "!FI};", "#=qr03MMh5pLoqsU2EEvN6ch6Tr7EGrL5c9eR_71qVrp$c=", ",{Uu\"p", "#=qxns0sTKVsgArVmXl3cFChFnM3Jv6Np_VftoasierUvg=", "get_Current", "#=qApHfpHzdRAuqPbkbKAzJmptqQgc7NLQ6T4N$H6aQHdw=", "4System.Web.Services.Protocols.SoapHttpClientProtocol", "FileMode", "#=qzx697Szk1moqO$yUynaioQ==", "#=qryghDdZnHsy$RagUj_T5aw==", "#=q3$4$aeeKw0G6KJpmbsHtCSC3$LdCNMfTzWNTjLVfIoU=", "System.Configuration", "$a58de1a4-5da5-48e4-8e57-197cc7b39b9b", "#=qT03bmh7uoc7QIggZX8722i59yRaiKXEb45q$FKk2uZY=", "GetForegroundWindow", "#=qfvCuRNoH9u00SSFFCvqZfg==", "Enumerator", "_Lambda$__1", "rangeDecoder", "#=qIxjnZll5GhllBN9b$ufZ3w==", "PasswordCommand", "Process", "#=qBvMiXP1hJ6VKxap1MxE0TUe8TQ47t0bgRFkWT_2Ymyk=", "#=q5sfq13B7vXg052uxfqu39g==", "CoderPropID", "]DB?w", "m_Decoders", "handle", "#=qBFvoYJt20gtsoLlWjU7jDuRfeDDIa87upzYCldwrNpI=", "headerSize", "GetLenToPosState", "lR7YPL", "#=qsV5K_71ZHH78FtoiXhsOYTV_Csv1aAdiiSCpj2X2l6o=", "#=qgHfmPA2gNKnydwzqeSF_2nVCUjp4Sfb3eJfQd$j975A=", "GetKeyboardLayout", "progress", "Microsoft.VisualBasic.CompilerServices", "prevByte", "ResolveEventHandler", "KeyboardCommand", "#=qt4h6_$cdnIG2g3BjEtlC9w==", "#=qZL$T$hC424exz5$sUQkm7w==", "#=qgC0tfaC3XL8FoOE$$1EOPjdVRTBNXr2NN6qMTkS_iSk=", "op_Equality", "PtrToStructure", "#=qmj_W3318X7UXjXz1JgFDnA==", "dnsapi.dll", "System", "CultureInfo", "#=qK8YSOZHQFwZhkU76$yIGwZGiGsr64hyFLs_9C0C9am4=", "#=qAQlIVHekXJrJwpDPrher5Q==", "_[&_C", "RawInputDevice", "#=qVa4dlGgXioIeYYgbx3$NvQ==", "~kItE", "m_DictionarySize", "DecodeNormal", "pvKSg&", "#=qPQ2EtheKurZp3OCkjzyyfQ==", "#=qCOMF0I9Fd3HxgGmFBDkurw==", "nextHandle", "#=qXtiqGLzJVH3aswCtlNNiug==", "MyGroupCollectionAttribute", "#=qrfNBcNMYeC4rLqwqMcn1jQ==", "CreateProcess", "#=qqLHT7hLUa1CKAG8LwjstJ5pArtyKEnkhPdyr1iCpbvQ=", "#=qU1ta1c$LOdIR6a7j6Rj67A==", "Group", "#=qKm6o1ledVqdR1Rw65bjQpA==", "MatchFinder", "ToByte", "#=qmHLlS2qqUAdmPyMYO7MoCg==", "UpdateChar", "#=q9kl5SZeUeIanHPXqH8Byvg==", "#=qg8F7l$fE22BW2JsfOcHpQA==", "Close", "#=qLt1igOtnjDbO40cq0340qg==", "#=qq9v5LklzRMUWeC0fX17u2w==", "7bocd", "#=q7SFZv3_X1jh__i0qS$yTrM3aMBoo7MMGOOAa9ltriPA=", "get_UTF8", "yz)X:", ",aNu^", "System.ComponentModel", "PADPADP", "SuppressUnmanagedCodeSecurityAttribute", "#=qqH0HzK5dpalJBOwa$wm3qg==", "ToString", "#=qyyoWizFgb3s$leRoJx8tVA6$nX314Se8B3eVLLvmYmg=", "#=qD_tmohqZXqQNhfRrQTYMfA==", "LegalCopyright", "#=qPS5ww9Qh4Qg1KnC9SiWQMg==", "kNumMidLenBits", "#=qgfJt9ZkqNp_s2eN$EF8lRoKBGN4LufTLNE1dmIBIf28=", "CompareString", "w,koK", "#=qykGtg3M9D9MTgOzaJO5xlg==", "(P~GY6*", "w,,p\\Rn", "#=qlZpTa_5oxuNhvwPl6FFKJg==", "#=qSq5zYE9oYXENFbc3V2Pe6w==", "kNumMoveBits", "_cX*n", "CompilerGeneratedAttribute", "#=qajec5milwVsqpbQNJ3pdAg==", "#=qE9U$URsu_c0Ig08qpeApRw==", "#=qxNAiPpjp2npMNB0TDaEubA==", "Equals", "#=qJuchJ7XfDSJXhX78ouEvSDi2Fm4IZfphEm1lxVR84W8=", "Extra", "#=qtdpI8mE0PC7HKAm0rggvhIxya1OU5XWEFr8n2AbzdwE=", "#=qbDWEs19y0rXNZJloHjyEAXFFSfYqbb6nrn10YnV15GU=", "inputBytes", "#=qyM4k7EGb5X12gk8YOkeNSQ==", "#=qkQ6DX9hRr8CpN4pCprp8dKTu5XpWEUA3fFuODRBQebM=", "SendTools", "#=q$ga0JQ2t4Nzt317dL7s1HA==", "#=qFiQXtwwrpPrf6i6Nohe$2A==", "#=qizSuKVUZWi22rIa8Z61Irg==", "ContextValue`1", "SetValue", "ResumeThread", "#=q6Yv$G4eHDn8gxVVQ7jH00Q==", "#=qaeAZ85IK9icf1hoO$eIUgQ==", "#=qTm4mE2BvwyQu9opBPZoYvABEXk1NdIbQ5LncPq_d5OQ=", "ApplicationLogging", "SetLiteralProperties", "#=qaGMznr3c$ok6TsLDKsBgpA==", "#=qsWLw4NosPP1gi5wOWkKQoz05m2lejq$6CuB$iOBB3AI=", "#=qGgwwpS30yt7z7wmA5NNa3g==", "_Lambda$__8", "#=qHJ9pmoIz378G1x0B31eH2CidaiOdV6DLfrtp1WQ35Q0=", "&&+%}!", "ReadChar", "4qiu%", "#=qNkF4$24brNGyMOYlUQj393pFEgGc7yicoZSTjZc2U_k=", "#=qt6bzCtEoNTvCkJX9j_4kZA==", "get_LParam", "#=qBTBFzfYdUs1kd$sDfT5Epz4Tl8141_7UIrCZjDszn5Q=", "v2.0.50727", "BlockCopy", "#Strings", "System.Collections.Generic", "#=q93VKpOIqdRN9spJigbfgrQ==", "#=q55q3lEdynyzHRQ573ELk9w==", "Ag<@+[", "#=qkz0tRkb9CLbnp8T0rNs8bD38RdjxjzMZ5i$ZzJHTh88=", "#=qquAKrvKQMWW7XtSurdlOiBConuNVZHvcIKParMXA0xo=", "#=qKdosTQrPrTm1tOzWi7_fuA==", "#=qfcadZftcNHMdcc$N_OWH5w==", "inStream", "ConnectionFailed", "Ru0=?+", "#=qTHk4ibx53ALvuTHC2wskqA==", "NtUnmapViewOfSection", "Replace", "windowSize", "set_Item", "!This program cannot be run in DOS mode.", "EmailClient", "get_Handle", "get_Msg", "GetTempPath", "#=qnWasDZNfCexjVbIXlOnpIw==", "ToInt32", "EndOfStreamException", "Compression.RangeCoder", "k,(|T", "#=qQJH4ux8HloTlAflsU0KOQw==", "_Lambda$__6", "DeleteLogs", "m_HighCoder", "RuntimeMethodHandle", "m_IsRepDecoders", "#=qSNORDi2PZ1IaS6Ix8w2Ovw==", "DirectoryInfo", "BuildingHostCache", "#=qsKOmOA5TX7dlM04qtgpOst$qgth3kf9KZZgdjC8x01c=", "Buffer", "#=qqj_P$pMjCtq2aNcNj2bfvufyGKfRlrOOaFr$XqaDVXU=", "#=qPiY_FtDE2jSdy0HqtmetjQ==", "#=qb3mKZgoJuDEsFa1T9bEUEXgvprlgegmeeniWKKiLI3E=", "value__", "#=qoqavODXRVVim6fghcoKuUg==", "GetValue", "#=qxTs7FlUCrQFGhk1vAwkrww==", "_stream", "m_PosMask", "#=q$lT2sqOctP5oFLjWBJEQs0BRL9aPnJgXluSQmhlzNCo=", "#=q4Jhplum5EMsDzltMg_L_tgoPjr8zzldX6k5uL$T8QHU=", "#=qJmGC3VRVk1ET7LjbQuMLjv1DeKxnDw1Daxs6uZ9$FGs=", "RuntimeCompatibilityAttribute", "h[S:<", "Download", "keyState", "numPrevBits", "SuppressIldasmAttribute", "CommandType", "CompilationRelaxationsAttribute", "fefeffeefXa*&+", "#=qzmbTPkKexQ8AS0E1MhJt4_A4SKpUh8ZeSD1Jy_XS9eM=", "ffefeeffe", "#=qTvTlfv6UWF8IdF6Zqmb35eNfTGusCMVLLnh6QIr8tfc=", "ffefeefeffe", "#=qr0WxpkU89pDBkkfgDoLSTA==", "#=qAtoFurjRifVD18ho1R1Dg_WU5nSHW_qH7pBxN8aFTXc=", "get_Count", "GetFrame", "@pd/\\", "#=qTSHkb7KjuVyqS$aEfJJbZSroTPY6PUlDcdx_paGstVs=", "J$xgm", "feffeefefa", "4.0.0.0", "properties", "#=qA_ED7VJLXZPPKs12VIDWHSI60qb9KWEC_8LLPE2krW0=", "#=qxwLQaLG4uRX$LJGVfSKAwQ==", "CreateInstance", "feffefefeY", "MultiThread", "message", "ProjectData", "count", "posState", "#=qv7_G63PaFeyDwnDCC1g_2ru4l8PEzEzyOErEaKVPipg=", "#=qHhkScXruXZT5J3Z7jSiQgw==", "Compression.LZMA", "kBitModelTotal", "UInt32", "#=q9Faq5VxEeRCgWA$Fv2CQA2jL$TcgdmVDlxlkstaRIog=", "_Lambda$__9", "!z4V0?U", "MoveNext", "Monitor", "MySettings", "#=q4$epyV0nlPzbnzRsMLPu97OYyrwjvDZ_OdEY8a656zU=", "ValueType", "Round", "#=qIkSGT4qbCtcFRC7mMAAYkk84I1ZFkrYif3TMjD7ZPA6BOJlmCB8mpgUoVIHLwXka", "System.Windows.Forms", "ResolveEventArgs", "ApplicationSettingsBase", "#=qczls24TWLmlr2uaF9Rt2wA==", "#=q29P5wT0RtOGJtLYYrVuOyQJYKodBvb_Va_4aXFXskAY=", "NextRecord", "JpWt*i*", "Delegate", "inSize", "&&*}R", "~B)^VO$", "#=qm6zrH0rCSTx0zj182i8NBQ==", "#=qZov5VwasIgllCy$iPN3DNw==", "#=q7rWPYdgZxY0QTmTQR2fgkA==", "user32.dll", "iiyAt", "b`*&+", "}uS(zOQ", "Assembly", "#=qoKX_5NDx$uDAqG3r2Qdnaw==", "GetThreadContext", "#=qWToN2VSuMj$dJ8jwWVWiOw==", "m_Choice2", ".reloc", "UInt64", "#=qxBa98CfPwuO0cLdTtVr3UZ7sHS6clgMQTcxeOGfq1S8n3UU_wXWw5dLM3IIxjN4D", "12.0.0.0", "#=qCourOFK6$KSegqeVRJ$n6Q==", "Stream", "T{K+d", "NanoCore.ClientPlugin", "#=q1WnXnf5Kn3oZdelfZ9atXg==", "IClientDataHost", "System.Reflection", "get_BuilderSettings", "_Lambda$__3", "#=qufNwmAe7HQFIL14z99jHZDphg_1JvBp18S4ZB_HYCGk=", "#=qG3u5K_RNSi5MmPk5qGfBKA==", "#=qJOuiYi3iPZ3uVqoeKGMDrA==", "ObjectFlowControl", "#=qyEh7zio04YwNJbA3DRAL$w==", "LT/a%u:", "#=qbnS0OHMEgVPpx0TYW6jRag==", "#=q8gDcBSsTQnbm3KE02hl7OA==", "&&+Y}C", "ISetCoderProperties", "lParam", "get_Name", "SetPosBitsProperties", "#=qBC03ja1g7$0w$eh2jRxaQNyDuxwUf4rZ75JN5N$kch8=", "m_IsRep0LongDecoders", "#=qtR8C6BNO$zdw_O10qjEjJt6JYi$bG2X1MWCDgpSA5qI=", "Create", "RuntimeTypeHandle", "#=qLIG6VCTYxG1r34UESHGfO1ahvp9wHKfNE5aXgNksRVfBCY8bC6m10KiOo8KoXWAp", "SeekOrigin", "WrapNonExceptionThrows", "bufferSize", "get_TotalMinutes", "#=qX35LozMOnZ3iEnR45ploWg==", "HB:9/", "DebuggerStepThroughAttribute", "#=qcxNEmoaEf7Zh660RKW2dVQ==", "#=qlvbeh6Dpr600MHBhM5FM6w==", "EditorBrowsableState", "#=qvSf5MwzG8n0SP5HzSY2_SA==", "MA1O@", "Int64", "#=qatkJDnqMuS21CiNfog8F1qvM$VR71IK88NPDErK$cCY=", "DestroyHandle", "processId", "Microsoft.VisualBasic.MyServices.Internal", "#=qOGgnVTQ4xQCpfQDFVMvxDA==", "aqhgV\"", "System.CodeDom.Compiler", "System.Globalization", "#=q9xDVujoZXiSgiL5U3Ms$Ldw_aEku$YcJRTx_3Mn7bUU=", "VirtualAllocEx", "#=qWOxGbcFRgf83Lr2nIvLxMhjnXfcYgGMTYJ7wrFJ4zpU=", "get_ClientSettings", "removeHandle", "IntPtr", "Double", "#=quC7pb_XLQy2zPy$IHptd3gII7RxTbEmajVwI2QM2uDw=", "#=qWAKUq9CUhmQBqBddF0P5WA==", "#=qTVgha2c6EXq6oFogWKkJ$Q==", "kStartPosModelIndex", "IEnumerator", "#=qjfIm1PIGR6WF2vcep8flyA==", "_streamPos", "Timer", "#=qULF9QYOA4w2wDOoaAUQxV_zVQ8z$1R9w4sOnYqGnVZM=", "Assembly Version", "5Hyt)", "#=qYZPuHqYnW$Jt8HuO33EgZYVEW2BLvhWvH6HqYkna1vM=", "SendToServer", "#=qHs51RKHMwfV41Mwh991L9yGwclD4RD8GoEI6P7yiHCQ=", "SurveillanceExClientPlugin", "KeyValuePair`2", "#=qGlAaJxWXqCLviqDPasqF_1pEmmsHiVpOlHTQMftJNnM=", "LenDecoder", "#=qEwOBNFc9PVbJeL2o1SylSw==", "Clear", "#=q9d$pwaibXpl6EYmDW3LQyA==", "m_Choice", "#=qYczMyu4Q4ODpJ8_8yaxacw==", "#=qyM8Yaoy9PKeQBcWclAVdrdWwWFIiXRRFb3afnMytprg=", "m_MidCoder", "WndProc", "m_LowCoder", "#=q0sFoUO5oar9qfDXWiIsjK8QBKipcWLJeZEeGAn3jKTY=", "#=qoSjdpFhHgKw4ZkLE7HcUsA==", "#=q_0ryHl9Z3pX6cTMt2fN0mgWhGzumbPaq9sRkBsl9r8EcjEOO0EVuY7FHYqQczjcm", "InternalName", "ntdll.dll", "EKL={", "#=qXt41o0joH7oimdyJLyAEgb0$SgCvft18unPo3p7oDZ4=", "#=qErALxYBxbcQx7$wpILZasQ==", "GetExecutingAssembly", "#=qWLNfsz9$tdJq5W5eUmCK3g==", "Decode", "Usage", "kNumLitPosStatesBitsEncodingMax", "#=qniVQeVyK34aPdgdXRnruaUQrXw0DTGkycv51vldfdvs=", "_Lambda$__5", "State", "LiteralDecoder", "ffefeeffe(q", "mFLGG", "MulticastDelegate", "ClientPlugin", "title", "ComVisibleAttribute", "LayoutKind", "w,D.F ", "\\eRsH~&()", "SQnYq", "m_PosDecoders", "EditorBrowsableAttribute", "ReleaseStream", "#=q6edtgiaCLUi7SoZ61U8urA==", "_buffer", "b`h*&+", "#=qWOXTw_dLcjSXp$GN$pp5S1OPD7ZPz6$b2UbsKnONIhg=", "GetText", "solid", "kNumLowLenBits", "ICoder", "DebuggerHiddenAttribute", "ConnectionStateChanged", "#=q8DCG8ySziWq86pz6M2Nm1Q==", "#=qqUu6BRNscFAOfPTSzNJT1w==", "#=qqq0n2rS1_M7ChN0lsGOjWw==", "Window", "get_TotalSeconds", "&&*}5", "#=qWtdqJYyYX8j6Z3apMuSRyQY12glbN$YmR9vdImzaIBw=", "#=qG4$BfgVthjPwAu6cOeCEdA==", "#=qOkM4_GL6iJytfvW8X1Vv0JdORs6j60y4sZk64fltjPs=", "scanCode", "#=qH37BJRRVPDZdt_HquyjQCGhaKFyNxp4uozln_BmzbFU=", "ffefefeeffe", "NumPasses", "#=qaiFlnK6gufs9y1Oc4GuIMH251NlpwpnIGxTExPappTg=", "Di'8f#", "#=qjGf0Fo7ouDsRFksxehS1LLJzkD032TzIZQYMCq6zXPU=", "kNumLenSymbols", "#=qxNhCtLFT$uaHlRVrjNRfgQ==", "#=qNOZ9w$DcFPd9SOpnZgS0RQ==", "#=q9d0qL0bhhHsukDDuSglJm4WCBbjzHE0Bbid8Pr0XWh0=", "MyTemplate", "ArgumentOutOfRangeException", "#=qV79mcqV34cKRcC07zX3EAg==", "#=qgf2HF0U91g7Z5r3b_DTKKen95XyoRNKhJT0tZAdh0qE=", "GetName", "ClearProjectError", "#=qBXqRL3Dv9U6yo_YJzVNueLigr3DbGSqr8_$nTSKtZ2s=", "StackTrace", "outSize", "#=qPvYrleetOagqdcI9DE5KLx58LE24Y4CctC7$504MDk4=", "#=qkt_liXOxhoHW1IdbL3VH8w==", "#=qh9ajRGk2_65Q3Jd9wgongg==", "['c*a", "ClientSettingChanged", "ThreadPool", "threadId", "ffefeeffeXa", "#=qt3y2qSp0dv0vJPWjVw3zrUaK5pF8MkrfIOVi6473g$4=", "RuntimeEnvironment", "#=qr01FMUeoBCjkEqS0Tv6eBA==", "ViewLogs", "#=qc7jxesQacILbzixeNG7FgVPmFPAfjvpvdnuAU2yopkw=", "#=qTDB6veXFhv3LJZPZLsXjAA==", "'b(?P", "StartsWith", "System.IO", "lS]@\\", "#=qa5bWbwMs799DVwO6Xd1rN3bJzFHKr4_gzkvb0x1jS4Fq$eNnm1UXtsC$gMpO485Q", "#=qynZM5QfSMAmkvPfv_N252H9sirBUdDlLNsjX68Ie$iw=", "-b&(f", "[@'s8", "StringBuilder", "get_FullName", "get_LastWriteTime", "#=qnsLPayfk95jd6qjcEgWvsg==", "#=qkJLhjNBL62x0Maq56Qyxvg==", "Regex", "GetFiles", "Invoke", "qL88<", "nC=\"kO", "#=qISpXJwqB9eU0aC9WFSg0Ng==", "ReadInt32", "ep&L2lT", "@o$?H{", "Remove", "#=qsbY2J0lq2mDKdHpdoqFbhILxgHjBTI3htQgLDLlw4tw=", "DateTimeKind", "#=qy62TL0vimm$9c8r9cknBlg==", "#=q7yeIS$Nxs6vRTxwkrC3NI7XBjBtanYpAY7F6lpVJMNs=", "get_WParam", "o3K=M", "#=q9MSpJ0C9gy1tNtiHMT0xuOhK0eh3XkuUCIUdV0CL_Vc=", "feffeeffefe", "#=qDryb$Lj81YuexT_kT546UteX3jn1a5MWE58jzYBzqzA=", "kNumAlignBits", "m_IsMatchDecoders", "vD|Jy", "get_DeclaringType", "#=q5LicbGLyNvYH7rAg86LLew==", "#=qd8PFK0o9ZmfLuRvVs5TueBqBiNJMAYg6mfAY7qPvztw=", "#=qILpIzHL2R4oZr_xuJ35Ks0Qv8efeDFq9$IysEjhmwb8=", "#=qXwgB3iQRF3f74mr47OcIXA==", "Format", "#=qbaeFrXHqfUmKDWhl$m1oW1YJ6aPS$T3nwSKQdfykURs=", "IClientUIHost", "K.^^0d", "Pd5iG", "#>6Mzf", "#=qbt21$tSdKp3amqFUQffN4g==", "#=qmAOt84hQOfmqpLQTy_m9Gw==", "MakeCode", "get_Chars", "w,uNm", "#=qJLhNEnVZH5g1ZqJMJz$RzYGuUiBvJ7jvAqqxd1jmI9w=", "SetThreadContext", "fefeffefefe", "#=qoOW0Qs7uLOIFAgZnF5WYag==", "IClientNetworkHost", "get_TickCount", "KeyboardType", "AssemblyCompanyAttribute", "ResourceManager", "_Lambda$__4", "RawInputHeader", "fefeffeefY", "#=qfGRrfgRh9ShPgCgw1WBGlA==", "UsagePage", "#=q8kI8WUAO3EIwh$dDbLO4hBJVnsPN1Kf$8oLzDKgLItY=", "GetEnumerator", "m_PosStateMask", "GetPublicKeyToken", "defaultInstance", "Dispose__Instance__", "kNumPosStatesBitsMax", "y/Tbb3", "#=quNCOqLbHCNvjlAK7Bf3cDbhyHY_4LIdtbLCWmQ_qI5Y=", "#=qcoWy4j$hfMjQGUjg7sMLcA==", "#=qqAcSxqYR8KvfnXGv78vSLpHnokxYmR2kdhuhJW9_ry8=", "#=qamafmS78hoJBlTvbicCkog==", "#=qFFTan1UEcEUWGr2OOrOYjJGYp4rAAjZjzwTWUS0rVrw=", "#=qph0dM8ScBo399Qc8dFf7SlZHZ5$T9MiuQgUb1gNxX6w=", "#=qafWoeWm0EJ5rJHlvMm4iDkNn$EYGciEBRwJDLt7$nbQ=", "#=qVJN_4jIyRrZ5yAy$Rn5RLinbGCq7szN2kXQqx5f3mq0=", "ReadAllText", "tuerl", "ToArray", "#=qbXdnCoLjynzf7IU_sWtIxQ==", "get_CurrentDomain", "FileAccess", "#=qnkToepswNMS8gbnXEvMwzMYEEKNiPU5uDsX9dRhrWNQ=", "m_Coders", "get_Default", "get_IsAbsoluteUri", "LitPosBits", "4#Q22", "Empty", "#=q6PBQzT2s0OXAPNX0HyA9nA==", "get_MetadataToken", "GetCallingAssembly", "ReadPacket", "#=qB_ief8yBaOrLHFWAY1qqaBDkGFE5diWAXZyimYvjzkY=", "MapVirtualKeyEx", "GetWindowText", "BU2l$", "#=qrrF6$_dvEtwtuQKnJBulHA==", "#=q$SxR33u2B2QKyvTy6OUx3VUEnsU1BBIwrFbNm_dTmvc=", "#=qQ0_U51a7sN5obfKsBtIlCA==", "Int16", "WaitCallback", "LogToServer", "#=qjw6ERKjxRJyhmlKKhTbkm3qZjjnDTqlES7REqNxqUOg=", "get_Item", "UInt16", "#=qyGd52xKGg1UK99QpoNpdz9dSKN3tgIE6mEvh5axkN4DdSC0KoH7ndNvZZfDKjIAY", "Mz&?8", "ffeeffefeef", "#=qy7iFFOCv78505n$_BrNPxRrFO5LEklS7ID6JkyE1sJ0=", "wParam", "maxLength", "fefefeffe_-", "get_Now", "kernel32.dll", "kEndPosModelIndex", "#=qBUViwm1Wzov4U2EcqfWHEYm9yRhCdBkuxxjXALmkpzo=", "#=qVSN1Lpi9mDmMGgmaAHvebQ==", "get_Size", "get_Variables", "pI,4711", "AssemblyTitleAttribute", "#=qhXmGn2CELzUWoG0JCIbI4w==", "#=qUto48Jl62GtgsCwHVL7Hgg==", "Delete", "Dictionary`2", "#=q0XvCVIzf4UbwwbesII8AcyVgrM$fv_y6$FjnV7yW05Q=", "IJxFC", "-H%a=", "get_BaseStream", "#=qkyQiUlPlMKotWknoHqlomhKQpOjgRch0EcZ31P06MMc=", "Dispose", "4UH@9JE", "B.rsrc", "matchByte", "TimerCallback", "fefeffeeffe", "MYkv[", "#=qjTb0yKP0PvX_$sNLZrWc3SrhKi2B8TapGYB0qQ_d2ic=", "NumFastBytes", "#=q2ps$7ibfUjB8cShObHpkOw==", "GetRawInputData", "GeneratedCodeAttribute", "#=qGbx9gQEhahxfxQgVR1WKYA==", "kNumLitContextBitsMax", "#=q1E8O4JTltplIX9hIlv2U_fvNRBdciVrREW4_qwWnAG8=", "#=qrGwSUb5xTQIFyn575GZnPg==", "#=qeRlDn71ka07USXFfJJUR2tjdNrp$C8rMYT7zAiVKaFY=", "#=qho_BPlTxogZ6unjnM3aUEA==", "qKsP&", "#=qjnoznhVPIrOVW7AdFC20oQRiO8PwCQlyil8yL1Vu$kM=", "KeyboardLogging", "u[AF7NM", "#=qO6x5ewjr4GGgRnaDV90ZlA==", "DnsGetCacheDataTable", "GetByte", "#=qXaCFAlCJk0zL$1TRW78z2TZB6TE_kmNEDibtTaGwApE=", "op_Subtraction", "de!#%d", "#=qMUhpaeAQYPZGtrQ6m5D8$T6a5UohdjKBly_QCCrNbic=", "#=qYf8VVQYyVIBbHqbd$XL$cA==", "Decompress", "\"zD_2", "qHF>7K", "#=qyJGUlE1_rLpfgGH0HVA4uA==", "#=qzk3NeGOwuEBmY8yfhx9RGeCtT3ElsluQSWlGax0FSTg=", "layout", "#=q463flxIG4yBvVk$L2nY$rA==", "#=qkArXx5faq_yiVVDZVy8zPg==", "#=qh0PZD5Xzw4GYzrxwVJgNXdBLljub_GVfhqf6qMZuuOM=", "#=q_kf6X0FJYJ49vkYU3o4hF4ABiUFCz_wIANIlPo9Wtqg=", "#=qZDfXudm0$xsDWCHGELpd5JJQykxvZE2iCT02xHzYWZs=", "BinaryWriter", "#=qm8f9k1aXVtORA4naJCkxW5anSegBcHo_NtygLkyg$zI=", "#=q4w8mBBo92N6vPz_rEq4NCg==", "feffefeefef", "#=qGqoN6NYMG6qhAx_trPC_ossyh4syAKivlJ4ofRtY1Bc=", "ICodeProgress", "String", "#=qU5Uv$YfWv4YU_tU0WnuWRQ==", "#=qm6w5$AGhTmDiKS6fDc_8lQ==", "kTopValue", "Append", "numBitLevels", "#=qwRLyHsQEgr3hVfF8nnZ7KA==", "#=qia6Q_CLWGyNlq5m_x$gzsg==", "get_Host", "Yaa*&+", "Range", "#=qUByjqwT1e89jxnX_MQXMWbKNidprz_QzC__AUDqY7Uc=", "#=qt8g2vpq5xuzYmHVNoc4aRQ==", "#=q5B2i_ZFG$fkyLcTMcIhd9w==", "QueueUserWorkItem", "GetObjectValue", "#=qhketRNLRWT8CVAmblf0IwOvCoFFzVqRP3cb74HV_KhA=", "ChangeExtension", "#=qmhUzkJg2ExNnbX_5KEDmiQ==", "#=q4XS3XWwqg0cYnVCF1ZC2NbwZSfEBY5biSs$73sq9_qY=", "kNumFullDistances", "#=q_EpKD6Wcn8v1q27F7Au3V2_q9nsNwbRHldZOuKkGS9M=", "GetRandomFileName", "&&*}8", "#=q5g$eC0ljHvRuQ5Sjg8qhXD5ifXDj39Cm6o39Y5BwaAc=", "#=qLpgJeYVNxM5InVOGfQCJgQGoJXhVBZL78RSpTucm8vM=", "", "#=qR6XN5QQYUNdzcxSpOeojXw==", "#=qRkVCQkwYopuW3FhsOB8R7Q==", "distance", "X!RF,", "V\\CDo", "#=q79jR0bJe_Ob_U2hce_Wy2KY4qSDCR$4x41oNq35cm3Y=", "#=qay1xmyx9Oqat62Q8L3hW8g==", "ContainsKey", "GetState", "#=qGvdgcYjJPldjZjV15YO1AQ==", "ContainsText", "#=qKkT5k_oMJ5jlOboYqGKerA==", "System.Diagnostics", "Marshal", "IClientNameObjectCollection", "SetProgress", "kNumStates", "#=qZDaMo8z4aSDSIJR8FYpOIWr2QgacQNuQzvtxGLdfriI=", "#=qE$fiW9I$YR8wzvprmP6GMg==", "IEnumerable`1", "ReadProcessMemory", "numPosBits", "#=qZVAY6xaoFDtd779Ohye_i7puUwiqn0vUdRn2mygGXjk=", ".ctor", "SetProjectError", "\"!&%'%8797:7;7", "#=q6cFrjMmsBzZaHdwkK64MvIJCVps43s79Zoc5jAQQ3B0=", "UpdateRep", "LogClientException", "rawInput", "DebuggerNonUserCodeAttribute", "#=qTmPD_08CamgMljHM9Dk1O8BoSybsXHEUiOmZnlrjslQ=", "#=qncI$$cNGF5Pots4RoA2KEQ==", "InternetBrowser", "StringReader", "AddDays", "ReferenceEquals", "GroupCollection", " :hu'a", "CLSCompliantAttribute", "virtualKey", "get_Groups", "Reserved", "1(:>/", "#=q3i4wls3IHcjOio705aCSHg==", "DataLength", "AsyncCallback", "#=qiw21QRsOuXRsr0EoFXe6yg==", "", "StructLayoutAttribute", "UriKind", "#=qbb8M4CbvbU9dtw7rljxsOgowhtC_M0HHHYDQvfbewMA=", "!:6=?J", "SizeOf", "Conversions", "numTotalBits", "Synchronized", "%B!eu", "StackFrame", "RegisterRawInputDevices", "FileVersion", "Decoder2", "ClientInvokeDelegate", "get_Key", "CreateHandle", "m_IsRepG0Decoders", "BitTreeDecoder", "CheckForSyncLockOnValueType", "IClientNetwork", "#=q4Nr8w$2KKfb5UztnulwYRg==", "kDicLogSizeMin", "PipeCreated", "Intern", "`.rsrc", "AssemblyFileVersionAttribute", "System.Threading", "ffefeeffea", "UpdateMatch", "Encoding", "IsNullOrEmpty", "#=qkmhFErk5YMKo51GKKlhE9g==", "StringFileInfo", "m_NumPrevBits", "LitContextBits", "Write", "GetRecords", "#=qrs1kHm2Vk1lgdS_uku1L9g==", "#=qMJgjQNh1HDTnQhoJXfa0WA==", "ReverseDecode", "AssemblyProductAttribute", "#=qPRgfS7lOTcyHKSlbB8xgkA==", "Microsoft.VisualBasic", "AppDomain", "#=qT1akwluU_CPHm0nhoKf6Rw==", "#=qfisk2$Joqzyumzd6fh2dOQ==", "get_Length", "#=qvfRcdVwrMsCxkiqADFMhLstfJFNrXezVOSkR7LYl6_c=", ".(\\iF", "#=qhY91O0Ehtf92oxnuh2FVz3zwgJyjBwDokEEXjvLvO6Q=", "feffefefefehah", "Win32", "z0v{1*", "#=qvvwoAYTFwjESTUFg0fNF7SLde7qYhx8qSoPZyr3HMfc=", "Contains", "BinaryReader", "ToInt16", "L269a", "VariableChanged", ",?eg!", "#=qQqcsGt5b2PDsslTZJ$dt_mKNdeXa0POgZBx5R0LjlPM=", "#=qw9VSFm68B5Ljl$xHUUa_Hw==", "get_Assembly", "FileInfo", "#=qbbS2gH77jp8FUp6F13JpY6MGDSb9v3gnCOBNgbF7cVA=", "GetHashCode", "kAlignTableSize", "m_OutWindow", "m_DictionarySizeCheck", "#=qpQr3Y9fGkwa$qRqPoCizPZ9VR0dem4a4NMuT_i6c3sQ=", "#=qUZFlYoOocheA6eC84I2B1Q==", "MemoryStream", "3System.Resources.Tools.StronglyTypedResourceBuilder", "#=q7_TpaeFTuHRPDnfbdnzhMw==", "IsControl", "SettingsBase", "Change", "#=qXH69A$_8u_BEH$6TuzFn6w==", "m_RepLenDecoder", "#=q5kTowhAuuSOCKCKI6_gw5Q==", "Activator", "#=qrrUz6hC0NPP229srrATMtK3maxNKi2E6oaUoFmACl9I=", "DnsCommand", "wisxa", "GetKeyboardState", "Flags", "#=qVmsOOzNjkaQuSyIKz50umg==", "OriginalFilename", "BitDecoder", "#=qeZCoccI3yJdWJ3ayrHW$WA==", "kNumLenToPosStatesBits", "UpdateShortRep", "#=q7xw_62wJAROEdfmrcOfU9A==", "#=qGPyC5Xsppd3A9GM1nbF6UA==", "#=qz_b1L2sFeS3InI52Fcb$xw==", "WriteProcessMemory", "kNumBitModelTotalBits", "#=qhe3YBArn2XZllRv5mtI$IA==", "-7& G", "ToUnicodeEx", "-=&~L", "System.Runtime.InteropServices", "w`TeE", "#=qUUTENRjCs2Tp8v$UkD2pyj$_WERyijyYrwjs9ap51Bc=", "#=qYnC$MeSjL22yOmZmIH9O5Q==", "flags", "add_AssemblyResolve", "SetCoderProperties", "Rz4Zy", "Decoder", "#=qA6W6GWeKbpqYNXHHn0NOqQ==", "GetManifestResourceStream", "VS_VERSION_INFO", "#=qxPKYwApYHsDUAngYujXcMg==", "feffeefeffe ", "ISetDecoderProperties", "Combine", "Create__Instance__", "ffeeffefehah", "Computer", "#=qHULrE3ucj3pP3z4Q8AHNQ6f7gkmXn_0Fohqp275LJtI=", "m_LenDecoder", "ApplicationBase", "#=qL4z9que7yasXNRV3gE808Q==", "EndMarker", "#=qbxOnQHmVH_9KW47BBLVbiw==", "ReadString", "TmYM>K", "E'Y=u", "#=qps$_CRy8QN3tD8_cpxbl5Q==", "#=qOB8cEznqDkvIxRcccHlIsv7sC6k2hObkCZSKdkJ_Zsk=", "#=qv$8E8sC6lJIPtd2$JZCylw==", "startIndex", "List`1", "Object", "kNumHighLenBits", "AssemblyCopyrightAttribute", "DefRawInputProc", "1.0.1.7", "w,X8WD", "#=q4JDS1p4qILBfxV6iYzPvew==", "#=qG0TXdiUc5RapAeqxDJArye7UrdqGI4sA16AWYfcrCf0=", "Lzma#.dll", "fefefeffe", "StringSplitOptions", "#=qMaYcsaYwkZMTqb1yZLawvsT_RxwqTAeocZdt0axWTAI=", "#=qtnUi7yodyLqv1sucEHesww==", "#=qj4ZL7Xa5Jh3aXGsDJ8nwq9Ol$7j95Q2WIH6RXdknYOM=", "get_Value", "Compression.LZ", "PosStateBits", "#=qCqIROk23BL$5SZnsNcMGzw==", "get_ProcessName", "NanoCore.ClientPluginHost", "m_PosAlignDecoder", "#=qgvFUiZFJ0DnA4jPHJSI0$g==", "Header", "afefefeffe", "SetClipboardViewer", ".cctor", "NativeWindow", "#=qp0rjqvRPFB117u1oIM8eyg==", "#=qNwsNe80RUFvWuBVxKYH7CdkcJCEYrUuUzsDzmfG3Y0f_hVViDx0xK8xqdS9y79EZ", "Enter", "#=qMb7ah3f2LZnw5uZZ2MwFiVVbfzLytVjDFOGKjr3$eXM=", "#=q7ZvQqMWc8EiVYIemfr8kugujhdIVidtkVJrdNaMKkMY=", "#=qnKfe8RVyBZnzTVIYVRXs3lz7$G7e6QuPxi3Jx3scwJ4=", "PipeClosed", "#=q8PUUaAp4ut016MmvuKrU1A==", "Message", "#=qcYLUomKQ3VHSKmjKloHutA==", "Array", "#=qdLYSf0D2H54oOFJ36kM4Rg==", "Microsoft.VisualBasic.ApplicationServices" ], "virustotal": { "error": true, "msg": "VT File lookup disabled in processing.conf" }, "executed_tools": [ "overlay", "msi_extract", "kixtart_extract", "vbe_extract", "batch_extract", "UnAutoIt_extract", "UPX_unpack", "RarSFX_extract", "Inno_extract", "SevenZip_unpack", "de4dot_deobfuscate", "eziriz_deobfuscate", "office_one" ], "cape_type_code": 1, "cape_type": "", "process_path": "C:\\Windows\\SysWOW64\\rundll32.exe", "process_name": "rundll32.exe", "module_path": "C:\\Users\\cape\\AppData\\Local\\Temp\\01e3b18bd63981decb384f55.dll", "pid": 5804 } ], "CAPE": { "payloads": [], "configs": [] }, "info": { "version": "2.5", "started": "2026-04-28 00:56:48", "ended": "2026-04-28 01:00:26", "duration": 218, "id": 49, "category": "file", "custom": "", "machine": { "id": 42, "status": "stopping", "name": "win10x64", "label": "win10x64", "platform": "windows", "manager": "KVM", "started_on": "2026-04-28 00:56:48", "shutdown_on": "2026-04-28 01:00:25" }, "package": "dll", "timeout": true, "tlp": null, "parent_sample": null, "options": {}, "source_url": null, "route": "", "user_id": 0, "CAPE_current_commit": "a9a0887dab232f52c59e955b9984dd494c47ce6b" }, "behavior": { "processes": [ { "process_id": 5804, "process_name": "rundll32.exe", "parent_id": 7304, "module_path": "C:\\Windows\\SysWOW64\\rundll32.exe", "first_seen": "2026-04-27 21:58:15,907", "calls": [ { "timestamp": "2026-04-27 21:58:18,829", "thread_id": "5800", "caller": "0x77274faa", "parentcaller": "0x77514cce", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77525000" }, { "name": "ModuleName", "value": "imagehlp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 0 }, { "timestamp": "2026-04-27 21:58:18,829", "thread_id": "5800", "caller": "0x772696ea", "parentcaller": "0x77514c2c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x76ab0000" }, { "name": "FunctionName", "value": "GetThreadContext" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76ae38d0" } ], "repeated": 0, "id": 1 }, { "timestamp": "2026-04-27 21:58:18,829", "thread_id": "5800", "caller": "0x772696ea", "parentcaller": "0x77514c2c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x76ab0000" }, { "name": "FunctionName", "value": "GetThreadTimes" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76ad1f70" } ], "repeated": 0, "id": 2 }, { "timestamp": "2026-04-27 21:58:18,829", "thread_id": "5800", "caller": "0x772696ea", "parentcaller": "0x77514c2c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x76ab0000" }, { "name": "FunctionName", "value": "IsProcessorFeaturePresent" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76ad0b70" } ], "repeated": 0, "id": 3 }, { "timestamp": "2026-04-27 21:58:18,829", "thread_id": "5800", "caller": "0x772696ea", "parentcaller": "0x77514c2c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x76ab0000" }, { "name": "FunctionName", "value": "OpenThread" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76acf5b0" } ], "repeated": 0, "id": 4 }, { "timestamp": "2026-04-27 21:58:18,829", "thread_id": "5800", "caller": "0x772696ea", "parentcaller": "0x77514c2c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x76ab0000" }, { "name": "FunctionName", "value": "ProcessIdToSessionId" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76ad0b90" } ], "repeated": 0, "id": 5 }, { "timestamp": "2026-04-27 21:58:18,829", "thread_id": "5800", "caller": "0x772696ea", "parentcaller": "0x77514c2c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x76ab0000" }, { "name": "FunctionName", "value": "SetProcessShutdownParameters" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76ac9540" } ], "repeated": 0, "id": 6 }, { "timestamp": "2026-04-27 21:58:18,829", "thread_id": "5800", "caller": "0x772696ea", "parentcaller": "0x77514c2c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x76ab0000" }, { "name": "FunctionName", "value": "SetThreadContext" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76ae4d20" } ], "repeated": 0, "id": 7 }, { "timestamp": "2026-04-27 21:58:18,829", "thread_id": "5800", "caller": "0x772696ea", "parentcaller": "0x77514c2c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x76ab0000" }, { "name": "FunctionName", "value": "GetProcessId" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76ad0c20" } ], "repeated": 0, "id": 8 }, { "timestamp": "2026-04-27 21:58:18,829", "thread_id": "5800", "caller": "0x77274faa", "parentcaller": "0x77514d2f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77525000" }, { "name": "ModuleName", "value": "imagehlp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9 }, { "timestamp": "2026-04-27 21:58:18,829", "thread_id": "5800", "caller": "0x77274faa", "parentcaller": "0x77514cce", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77525000" }, { "name": "ModuleName", "value": "imagehlp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10 }, { "timestamp": "2026-04-27 21:58:18,829", "thread_id": "5800", "caller": "0x77274faa", "parentcaller": "0x77514d2f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77525000" }, { "name": "ModuleName", "value": "imagehlp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11 }, { "timestamp": "2026-04-27 21:58:18,829", "thread_id": "5800", "caller": "0x77e7007d", "parentcaller": "0x7726648d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 12 }, { "timestamp": "2026-04-27 21:58:18,829", "thread_id": "5800", "caller": "0x77ea64d6", "parentcaller": "0x77ea63e1", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13 }, { "timestamp": "2026-04-27 21:58:18,829", "thread_id": "5800", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x00000000" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 14 }, { "timestamp": "2026-04-27 21:58:18,829", "thread_id": "6488", "caller": "0x77e91c0e", "parentcaller": "0x77e8dbb1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000007c" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 2, "id": 15 }, { "timestamp": "2026-04-27 21:58:18,845", "thread_id": "5800", "caller": "0x00be5f1a", "parentcaller": "0x00be5fdd", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x031f3000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16 }, { "timestamp": "2026-04-27 21:58:18,845", "thread_id": "5800", "caller": "0x00be5f1a", "parentcaller": "0x00be5fdd", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x031f4000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17 }, { "timestamp": "2026-04-27 21:58:18,845", "thread_id": "5800", "caller": "0x00be4168", "parentcaller": "0x00be6078", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "34", "pretty_value": "ProcessExecuteFlags" }, { "name": "ProcessInformation", "value": "1" } ], "repeated": 0, "id": 18 }, { "timestamp": "2026-04-27 21:58:18,845", "thread_id": "5800", "caller": "0x00be40d8", "parentcaller": "0x00be41fe", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "164" } ], "repeated": 0, "id": 19 }, { "timestamp": "2026-04-27 21:58:18,845", "thread_id": "5800", "caller": "0x00be4290", "parentcaller": "0x00be6078", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 20 }, { "timestamp": "2026-04-27 21:58:18,845", "thread_id": "5800", "caller": "0x00be59c5", "parentcaller": "0x00be42a3", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\01e3b18bd63981decb384f55.dll.manifest" } ], "repeated": 0, "id": 21 }, { "timestamp": "2026-04-27 21:58:18,845", "thread_id": "5800", "caller": "0x00be5a1d", "parentcaller": "0x00be42a3", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002c8" }, { "name": "DesiredAccess", "value": "0x001200a9", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE" }, { "name": "FileName", "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\01e3b18bd63981decb384f55.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 22 }, { "timestamp": "2026-04-27 21:58:19,173", "thread_id": "5800", "caller": "0x00be5a1d", "parentcaller": "0x00be42a3", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002c0" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000002c8" }, { "name": "FileName", "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\01e3b18bd63981decb384f55.dll" } ], "repeated": 0, "id": 23 }, { "timestamp": "2026-04-27 21:58:19,173", "thread_id": "5800", "caller": "0x00be5a1d", "parentcaller": "0x00be42a3", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x000002c0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05fc0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0001e000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 24 }, { "timestamp": "2026-04-27 21:58:19,173", "thread_id": "5800", "caller": "0x00be5a1d", "parentcaller": "0x00be42a3", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002bc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" } ], "repeated": 0, "id": 25 }, { "timestamp": "2026-04-27 21:58:19,173", "thread_id": "5800", "caller": "0x00be5a1d", "parentcaller": "0x00be42a3", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000002bc" }, { "name": "ValueName", "value": "PreferExternalManifest" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest" } ], "repeated": 0, "id": 26 }, { "timestamp": "2026-04-27 21:58:19,173", "thread_id": "5800", "caller": "0x00be5a1d", "parentcaller": "0x00be42a3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002bc" } ], "repeated": 0, "id": 27 }, { "timestamp": "2026-04-27 21:58:19,173", "thread_id": "5800", "caller": "0x00be5a1d", "parentcaller": "0x00be42a3", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x001200a9", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE" }, { "name": "FileName", "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\01e3b18bd63981decb384f55.dll.123.Manifest" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 28 }, { "timestamp": "2026-04-27 21:58:19,173", "thread_id": "5800", "caller": "0x00be5a1d", "parentcaller": "0x00be42a3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c8" } ], "repeated": 0, "id": 29 }, { "timestamp": "2026-04-27 21:58:19,173", "thread_id": "5800", "caller": "0x00be5a1d", "parentcaller": "0x00be42a3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c0" } ], "repeated": 0, "id": 30 }, { "timestamp": "2026-04-27 21:58:19,173", "thread_id": "5800", "caller": "0x00be5a1d", "parentcaller": "0x00be42a3", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05fc0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 31 }, { "timestamp": "2026-04-27 21:58:19,173", "thread_id": "5800", "caller": "0x00be5a3e", "parentcaller": "0x00be42a3", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002c0" }, { "name": "DesiredAccess", "value": "0x001200a9", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE" }, { "name": "FileName", "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\01e3b18bd63981decb384f55.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 32 }, { "timestamp": "2026-04-27 21:58:19,173", "thread_id": "5800", "caller": "0x00be5a3e", "parentcaller": "0x00be42a3", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002c8" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000002c0" }, { "name": "FileName", "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\01e3b18bd63981decb384f55.dll" } ], "repeated": 0, "id": 33 }, { "timestamp": "2026-04-27 21:58:19,173", "thread_id": "5800", "caller": "0x00be5a3e", "parentcaller": "0x00be42a3", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x000002c8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05fc0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0001e000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 34 }, { "timestamp": "2026-04-27 21:58:19,173", "thread_id": "5800", "caller": "0x00be5a3e", "parentcaller": "0x00be42a3", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002bc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" } ], "repeated": 0, "id": 35 }, { "timestamp": "2026-04-27 21:58:19,173", "thread_id": "5800", "caller": "0x00be5a3e", "parentcaller": "0x00be42a3", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000002bc" }, { "name": "ValueName", "value": "PreferExternalManifest" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest" } ], "repeated": 0, "id": 36 }, { "timestamp": "2026-04-27 21:58:19,173", "thread_id": "5800", "caller": "0x00be5a3e", "parentcaller": "0x00be42a3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002bc" } ], "repeated": 0, "id": 37 }, { "timestamp": "2026-04-27 21:58:19,173", "thread_id": "5800", "caller": "0x00be5a3e", "parentcaller": "0x00be42a3", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x001200a9", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE" }, { "name": "FileName", "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\01e3b18bd63981decb384f55.dll.124.Manifest" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 38 }, { "timestamp": "2026-04-27 21:58:19,173", "thread_id": "5800", "caller": "0x00be5a3e", "parentcaller": "0x00be42a3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c0" } ], "repeated": 0, "id": 39 }, { "timestamp": "2026-04-27 21:58:19,173", "thread_id": "5800", "caller": "0x00be5a3e", "parentcaller": "0x00be42a3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c8" } ], "repeated": 0, "id": 40 }, { "timestamp": "2026-04-27 21:58:19,173", "thread_id": "5800", "caller": "0x00be5a3e", "parentcaller": "0x00be42a3", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05fc0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 41 }, { "timestamp": "2026-04-27 21:58:19,173", "thread_id": "5800", "caller": "0x00be5a5f", "parentcaller": "0x00be42a3", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002c8" }, { "name": "DesiredAccess", "value": "0x001200a9", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE" }, { "name": "FileName", "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\01e3b18bd63981decb384f55.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 42 }, { "timestamp": "2026-04-27 21:58:19,173", "thread_id": "5800", "caller": "0x00be5a5f", "parentcaller": "0x00be42a3", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002c0" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000002c8" }, { "name": "FileName", "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\01e3b18bd63981decb384f55.dll" } ], "repeated": 0, "id": 43 }, { "timestamp": "2026-04-27 21:58:19,173", "thread_id": "5800", "caller": "0x00be5a5f", "parentcaller": "0x00be42a3", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x000002c0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05fc0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0001e000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 44 }, { "timestamp": "2026-04-27 21:58:19,173", "thread_id": "5800", "caller": "0x00be5a5f", "parentcaller": "0x00be42a3", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002bc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" } ], "repeated": 0, "id": 45 }, { "timestamp": "2026-04-27 21:58:19,173", "thread_id": "5800", "caller": "0x00be5a5f", "parentcaller": "0x00be42a3", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000002bc" }, { "name": "ValueName", "value": "PreferExternalManifest" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest" } ], "repeated": 0, "id": 46 }, { "timestamp": "2026-04-27 21:58:19,173", "thread_id": "5800", "caller": "0x00be5a5f", "parentcaller": "0x00be42a3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002bc" } ], "repeated": 0, "id": 47 }, { "timestamp": "2026-04-27 21:58:19,188", "thread_id": "5800", "caller": "0x00be5a5f", "parentcaller": "0x00be42a3", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x001200a9", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE" }, { "name": "FileName", "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\01e3b18bd63981decb384f55.dll.2.Manifest" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 48 }, { "timestamp": "2026-04-27 21:58:19,188", "thread_id": "5800", "caller": "0x00be5a5f", "parentcaller": "0x00be42a3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c8" } ], "repeated": 0, "id": 49 }, { "timestamp": "2026-04-27 21:58:19,188", "thread_id": "5800", "caller": "0x00be5a5f", "parentcaller": "0x00be42a3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c0" } ], "repeated": 0, "id": 50 }, { "timestamp": "2026-04-27 21:58:19,188", "thread_id": "5800", "caller": "0x00be5a5f", "parentcaller": "0x00be42a3", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x05fc0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 51 }, { "timestamp": "2026-04-27 21:58:19,188", "thread_id": "5800", "caller": "0x00be5abb", "parentcaller": "0x00be42a3", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002c0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" } ], "repeated": 0, "id": 52 }, { "timestamp": "2026-04-27 21:58:19,188", "thread_id": "5800", "caller": "0x00be5abb", "parentcaller": "0x00be42a3", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000002c0" }, { "name": "ValueName", "value": "PreferExternalManifest" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest" } ], "repeated": 0, "id": 53 }, { "timestamp": "2026-04-27 21:58:19,188", "thread_id": "5800", "caller": "0x00be5abb", "parentcaller": "0x00be42a3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c0" } ], "repeated": 0, "id": 54 }, { "timestamp": "2026-04-27 21:58:19,188", "thread_id": "5800", "caller": "0x00be5abb", "parentcaller": "0x00be42a3", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002c0" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\rundll32.exe" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 55 }, { "timestamp": "2026-04-27 21:58:19,188", "thread_id": "5800", "caller": "0x00be5abb", "parentcaller": "0x00be42a3", "category": "__notification__", "api": "sysenter", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadIdentifier", "value": "5800" }, { "name": "Module", "value": "KERNEL32.DLL" }, { "name": "Return Address", "value": "0x76ad24ac" } ], "repeated": 0, "id": 56 }, { "timestamp": "2026-04-27 21:58:19,204", "thread_id": "5800", "caller": "0x00be5abb", "parentcaller": "0x00be42a3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c0" } ], "repeated": 0, "id": 57 }, { "timestamp": "2026-04-27 21:58:19,204", "thread_id": "5800", "caller": "0x00be5d94", "parentcaller": "0x00be42ae", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000002c0" } ], "repeated": 0, "id": 58 }, { "timestamp": "2026-04-27 21:58:19,204", "thread_id": "5800", "caller": "0x00be5d1d", "parentcaller": "0x00be5db9", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 59 }, { "timestamp": "2026-04-27 21:58:19,204", "thread_id": "5800", "caller": "0x00be5d42", "parentcaller": "0x00be5db9", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "20" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 60 }, { "timestamp": "2026-04-27 21:58:19,204", "thread_id": "5800", "caller": "0x00be5dc4", "parentcaller": "0x00be42ae", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c0" } ], "repeated": 0, "id": 61 }, { "timestamp": "2026-04-27 21:58:19,204", "thread_id": "5800", "caller": "0x00be3c8d", "parentcaller": "0x00be3e97", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\01e3b18bd63981decb384f55" }, { "name": "DllBase", "value": "0x05fd0000" } ], "repeated": 0, "id": 62 }, { "timestamp": "2026-04-27 21:58:19,204", "thread_id": "5800", "caller": "0x00be3c8d", "parentcaller": "0x00be3e97", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\01e3b18bd63981decb384f55.dll" }, { "name": "BaseAddress", "value": "0x05fd0000" } ], "repeated": 0, "id": 63 }, { "timestamp": "2026-04-27 21:58:19,204", "thread_id": "5800", "caller": "0x00be3da6", "parentcaller": "0x00be3eb2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": false, "return": "0xffffffffc0000138", "arguments": [ { "name": "ModuleName", "value": "01e3b18bd63981decb384f55.dll" }, { "name": "ModuleHandle", "value": "0x05fd0000" }, { "name": "FunctionName", "value": "" }, { "name": "Ordinal", "value": "1" }, { "name": "FunctionAddress", "value": "0x00000000" } ], "repeated": 0, "id": 64 }, { "timestamp": "2026-04-27 21:58:19,204", "thread_id": "5800", "caller": "0x00be3924", "parentcaller": "0x00be3f58", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x02ec0000" }, { "name": "RegionSize", "value": "0x00004000" } ], "repeated": 0, "id": 65 }, { "timestamp": "2026-04-27 21:58:19,204", "thread_id": "5800", "caller": "0x00be3924", "parentcaller": "0x00be3f58", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000100" } ], "repeated": 0, "id": 66 }, { "timestamp": "2026-04-27 21:58:19,204", "thread_id": "5800", "caller": "0x00be3924", "parentcaller": "0x00be3f58", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000100" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" } ], "repeated": 0, "id": 67 }, { "timestamp": "2026-04-27 21:58:19,204", "thread_id": "5800", "caller": "0x00be3924", "parentcaller": "0x00be3f58", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000100" }, { "name": "ValueName", "value": "Latest" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU\\Latest" } ], "repeated": 0, "id": 68 }, { "timestamp": "2026-04-27 21:58:19,204", "thread_id": "5800", "caller": "0x00be3924", "parentcaller": "0x00be3f58", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000100" } ], "repeated": 0, "id": 69 }, { "timestamp": "2026-04-27 21:58:19,204", "thread_id": "5800", "caller": "0x00be3924", "parentcaller": "0x00be3f58", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000100" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\\Windows\\System32\\ru-RU\\rundll32.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 70 }, { "timestamp": "2026-04-27 21:58:19,204", "thread_id": "5800", "caller": "0x00be3924", "parentcaller": "0x00be3f58", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002c0" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000100" }, { "name": "FileName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\\Windows\\System32\\ru-RU\\rundll32.exe.mui" } ], "repeated": 0, "id": 71 }, { "timestamp": "2026-04-27 21:58:19,204", "thread_id": "5800", "caller": "0x00be3924", "parentcaller": "0x00be3f58", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002c0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x02ec0000" }, { "name": "SectionOffset", "value": "0x02e3ea50" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 72 }, { "timestamp": "2026-04-27 21:58:19,204", "thread_id": "5800", "caller": "0x00be3924", "parentcaller": "0x00be3f58", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c0" } ], "repeated": 0, "id": 73 }, { "timestamp": "2026-04-27 21:58:19,204", "thread_id": "5800", "caller": "0x00be5e77", "parentcaller": "0x00be69af", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00beb000" }, { "name": "ModuleName", "value": "rundll32.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 74 }, { "timestamp": "2026-04-27 21:58:19,204", "thread_id": "5800", "caller": "0x00be5e77", "parentcaller": "0x00be69af", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x00beb000" }, { "name": "ModuleName", "value": "rundll32.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 75 }, { "timestamp": "2026-04-27 21:58:19,298", "thread_id": "5800", "caller": "0x00be3a40", "parentcaller": "0x00be3f58", "category": "__notification__", "api": "sysenter", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadIdentifier", "value": "5800" }, { "name": "Module", "value": "KERNELBASE.dll" }, { "name": "Return Address", "value": "0x772833ec" } ], "repeated": 0, "id": 76 }, { "timestamp": "2026-04-27 21:58:22,376", "thread_id": "5800", "caller": "0x00be3a40", "parentcaller": "0x00be3f58", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\TextShaping" }, { "name": "DllBase", "value": "0x73b20000" } ], "repeated": 0, "id": 77 }, { "timestamp": "2026-04-27 21:58:23,032", "thread_id": "5800", "caller": "0x00be3a40", "parentcaller": "0x00be3f58", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\uxtheme" }, { "name": "DllBase", "value": "0x745d0000" } ], "repeated": 0, "id": 78 }, { "timestamp": "2026-04-27 21:58:23,032", "thread_id": "5800", "caller": "0x00be3a40", "parentcaller": "0x00be3f58", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\uxtheme.dll" }, { "name": "BaseAddress", "value": "0x745d0000" } ], "repeated": 0, "id": 79 }, { "timestamp": "2026-04-27 21:58:23,251", "thread_id": "5800", "caller": "0x00be3a40", "parentcaller": "0x00be3f58", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\MSCTF" }, { "name": "DllBase", "value": "0x76ba0000" } ], "repeated": 0, "id": 80 }, { "timestamp": "2026-04-27 21:58:23,704", "thread_id": "5800", "caller": "0x00be3a40", "parentcaller": "0x00be3f58", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\kernel.appcore" }, { "name": "DllBase", "value": "0x75250000" } ], "repeated": 0, "id": 81 }, { "timestamp": "2026-04-27 21:58:23,720", "thread_id": "5800", "caller": "0x00be3a40", "parentcaller": "0x00be3f58", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\bcryptPrimitives" }, { "name": "DllBase", "value": "0x76d80000" } ], "repeated": 0, "id": 82 }, { "timestamp": "2026-04-27 21:58:31,079", "thread_id": "5800", "caller": "0x00be3a40", "parentcaller": "0x00be3f58", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\ntmarta" }, { "name": "DllBase", "value": "0x73710000" } ], "repeated": 0, "id": 83 }, { "timestamp": "2026-04-27 21:58:31,079", "thread_id": "5800", "caller": "0x00be3a40", "parentcaller": "0x00be3f58", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\CoreMessaging" }, { "name": "DllBase", "value": "0x73740000" } ], "repeated": 0, "id": 84 }, { "timestamp": "2026-04-27 21:58:31,095", "thread_id": "5800", "caller": "0x00be3a40", "parentcaller": "0x00be3f58", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\wintypes" }, { "name": "DllBase", "value": "0x73630000" } ], "repeated": 0, "id": 85 }, { "timestamp": "2026-04-27 21:58:31,095", "thread_id": "5800", "caller": "0x00be3a40", "parentcaller": "0x00be3f58", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\CoreUIComponents" }, { "name": "DllBase", "value": "0x737e0000" } ], "repeated": 0, "id": 86 }, { "timestamp": "2026-04-27 21:58:31,095", "thread_id": "5800", "caller": "0x00be3a40", "parentcaller": "0x00be3f58", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\textinputframework" }, { "name": "DllBase", "value": "0x73a60000" } ], "repeated": 0, "id": 87 }, { "timestamp": "2026-04-27 21:58:35,626", "thread_id": "5800", "caller": "0x00be3a40", "parentcaller": "0x00be3f58", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "kernel32.dll" }, { "name": "BaseAddress", "value": "0x76ab0000" } ], "repeated": 0, "id": 88 }, { "timestamp": "2026-04-27 21:58:53,798", "thread_id": "6356", "caller": "0x77ea64d6", "parentcaller": "0x77ea63e1", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 89 }, { "timestamp": "2026-04-27 21:58:53,798", "thread_id": "6356", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x00000000" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 90 }, { "timestamp": "2026-04-27 21:58:53,798", "thread_id": "6356", "caller": "0x77271454", "parentcaller": "0x7693b5fa", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000348" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 91 }, { "timestamp": "2026-04-27 21:58:53,798", "thread_id": "6356", "caller": "0x76938f18", "parentcaller": "0x76938dcd", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000300" } ], "repeated": 0, "id": 92 }, { "timestamp": "2026-04-27 21:58:53,798", "thread_id": "2200", "caller": "0x77ea64d6", "parentcaller": "0x77ea63e1", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 93 }, { "timestamp": "2026-04-27 21:58:53,798", "thread_id": "2200", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x00000000" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 94 }, { "timestamp": "2026-04-27 21:59:15,626", "thread_id": "4592", "caller": "0x77eab5a6", "parentcaller": "0x77e760fc", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "4592" } ], "repeated": 0, "id": 95 }, { "timestamp": "2026-04-27 21:59:15,626", "thread_id": "4592", "caller": "0x77eab5c9", "parentcaller": "0x77e760fc", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 96 }, { "timestamp": "2026-04-27 21:59:15,626", "thread_id": "8160", "caller": "0x77eab5a6", "parentcaller": "0x77e760fc", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8160" } ], "repeated": 0, "id": 97 }, { "timestamp": "2026-04-27 21:59:15,626", "thread_id": "8160", "caller": "0x77eab5c9", "parentcaller": "0x77e760fc", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 98 } ], "threads": [ "5800", "6488", "6356", "2200", "4592", "8160" ], "environ": { "UserName": "cape", "ComputerName": "DESKTOP-PC01", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\cape\\AppData\\Local\\Temp\\", "CommandLine": "\"C:\\Windows\\System32\\rundll32.exe\" \"C:\\Users\\cape\\AppData\\Local\\Temp\\01e3b18bd63981decb384f55.dll\",#1", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "7c6d-8d48", "SystemVolumeGUID": "c48439d1-0000-0000-0000-100000000000", "MachineGUID": "", "MainExeBase": "0x00be0000", "MainExeSize": "0x00014000", "Bitness": "32-bit", "DllBase": "0x05fd0000" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } } ], "anomaly": [], "processtree": [ { "name": "rundll32.exe", "pid": 5804, "parent_id": 7304, "module_path": "C:\\Windows\\SysWOW64\\rundll32.exe", "children": [], "threads": [ "5800", "6488", "6356", "2200", "4592", "8160" ], "environ": { "UserName": "cape", "ComputerName": "DESKTOP-PC01", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\cape\\AppData\\Local\\Temp\\", "CommandLine": "\"C:\\Windows\\System32\\rundll32.exe\" \"C:\\Users\\cape\\AppData\\Local\\Temp\\01e3b18bd63981decb384f55.dll\",#1", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "7c6d-8d48", "SystemVolumeGUID": "c48439d1-0000-0000-0000-100000000000", "MachineGUID": "", "MainExeBase": "0x00be0000", "MainExeSize": "0x00014000", "Bitness": "32-bit", "DllBase": "0x05fd0000" } } ], "summary": { "files": [ "C:\\Users\\cape\\AppData\\Local\\Temp\\01e3b18bd63981decb384f55.dll.manifest", "C:\\Users\\cape\\AppData\\Local\\Temp\\01e3b18bd63981decb384f55.dll", "C:\\Users\\cape\\AppData\\Local\\Temp\\01e3b18bd63981decb384f55.dll.123.Manifest", "C:\\Users\\cape\\AppData\\Local\\Temp\\01e3b18bd63981decb384f55.dll.124.Manifest", "C:\\Users\\cape\\AppData\\Local\\Temp\\01e3b18bd63981decb384f55.dll.2.Manifest", "C:\\Windows\\SysWOW64\\rundll32.exe", "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\\Windows\\System32\\ru-RU\\rundll32.exe.mui" ], "read_files": [], "write_files": [], "delete_files": [], "keys": [ "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU\\Latest" ], "read_keys": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU\\Latest" ], "write_keys": [], "delete_keys": [], "executed_commands": [], "resolved_apis": [], "mutexes": [], "created_services": [], "started_services": [] }, "enhanced": [ { "event": "read", "object": "registry", "timestamp": "2026-04-27 21:58:19,173", "eid": 1, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-04-27 21:58:19,173", "eid": 2, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-04-27 21:58:19,173", "eid": 3, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-04-27 21:58:19,188", "eid": 4, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-04-27 21:58:19,204", "eid": 5, "data": { "file": "C:\\Users\\cape\\AppData\\Local\\Temp\\01e3b18bd63981decb384f55.dll", "pathtofile": null, "moduleaddress": "0x05fd0000" } }, { "event": "read", "object": "registry", "timestamp": "2026-04-27 21:58:19,204", "eid": 6, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU\\Latest", "content": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe" } }, { "event": "load", "object": "library", "timestamp": "2026-04-27 21:58:23,032", "eid": 7, "data": { "file": "C:\\Windows\\System32\\uxtheme.dll", "pathtofile": null, "moduleaddress": "0x745d0000" } }, { "event": "load", "object": "library", "timestamp": "2026-04-27 21:58:35,626", "eid": 8, "data": { "file": "kernel32.dll", "pathtofile": null, "moduleaddress": "0x76ab0000" } } ], "encryptedbuffers": [], "network_map": { "endpoint_map": {}, "http_host_map": {}, "dns_intents": {}, "http_requests": [], "winhttp_sessions": [] } }, "debug": { "log": "2026-03-05 20:34:37,913 [root] INFO: Date set to: 20260428T00:57:34, timeout set to: 120\n2026-04-28 00:57:34,173 [root] DEBUG: Starting analyzer from: C:\\drl3__ia\n2026-04-28 00:57:34,173 [root] DEBUG: Storing results at: C:\\XJKAvEz\n2026-04-28 00:57:34,173 [root] DEBUG: Pipe server name: \\\\.\\PIPE\\bRdEiig\n2026-04-28 00:57:34,173 [root] DEBUG: Python path: C:\\Python310\n2026-04-28 00:57:34,173 [root] INFO: analysis running as an admin\n2026-04-28 00:57:34,173 [root] INFO: analysis package specified: \"dll\"\n2026-04-28 00:57:34,173 [root] DEBUG: importing analysis package module: \"modules.packages.dll\"...\n2026-04-28 00:57:34,188 [root] DEBUG: imported analysis package \"dll\"\n2026-04-28 00:57:34,188 [root] DEBUG: initializing analysis package \"dll\"...\n2026-04-28 00:57:34,188 [lib.common.common] INFO: wrapping\n2026-04-28 00:57:34,188 [lib.core.compound] INFO: C:\\Users\\cape\\AppData\\Local\\Temp already exists, skipping creation\n2026-04-28 00:57:34,188 [root] DEBUG: New location of moved file: C:\\Users\\cape\\AppData\\Local\\Temp\\01e3b18bd63981decb384f55\n2026-04-28 00:57:34,188 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL option\n2026-04-28 00:57:34,188 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL_64 option\n2026-04-28 00:57:34,188 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader option\n2026-04-28 00:57:34,188 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader_64 option\n2026-04-28 00:57:34,313 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.browser\"\n2026-04-28 00:57:34,376 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.digisig\"\n2026-04-28 00:57:34,485 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.disguise\"\n2026-04-28 00:57:34,516 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.human\"\n2026-04-28 00:57:34,610 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'\n2026-04-28 00:57:34,735 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'\n2026-04-28 00:57:34,813 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'\n2026-04-28 00:57:34,923 [lib.api.screenshot] INFO: Please upgrade Pillow to >= 5.4.1 for best performance\n2026-04-28 00:57:34,985 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.screenshots\"\n2026-04-28 00:57:35,001 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.tlsdump\"\n2026-04-28 00:57:35,001 [root] DEBUG: Initialized auxiliary module \"Browser\"\n2026-04-28 00:57:35,001 [root] DEBUG: attempting to configure 'Browser' from data\n2026-04-28 00:57:35,016 [root] DEBUG: module Browser does not support data configuration, ignoring\n2026-04-28 00:57:35,016 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.browser\"...\n2026-04-28 00:57:35,016 [root] DEBUG: Started auxiliary module modules.auxiliary.browser\n2026-04-28 00:57:35,016 [root] DEBUG: Initialized auxiliary module \"DigiSig\"\n2026-04-28 00:57:35,016 [root] DEBUG: attempting to configure 'DigiSig' from data\n2026-04-28 00:57:35,016 [root] DEBUG: module DigiSig does not support data configuration, ignoring\n2026-04-28 00:57:35,016 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.digisig\"...\n2026-04-28 00:57:35,016 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature\n2026-04-28 00:57:36,204 [modules.auxiliary.digisig] DEBUG: File is not signed\n2026-04-28 00:57:36,204 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json\n2026-04-28 00:57:36,204 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig\n2026-04-28 00:57:36,204 [root] DEBUG: Initialized auxiliary module \"Disguise\"\n2026-04-28 00:57:36,204 [root] DEBUG: attempting to configure 'Disguise' from data\n2026-04-28 00:57:36,204 [root] DEBUG: module Disguise does not support data configuration, ignoring\n2026-04-28 00:57:36,204 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.disguise\"...\n2026-04-28 00:57:36,219 [modules.auxiliary.disguise] INFO: Disguising GUID to edfca9f0-b2a7-4a7b-92c3-208899b6a836\n2026-04-28 00:57:36,219 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise\n2026-04-28 00:57:36,235 [root] DEBUG: Initialized auxiliary module \"Human\"\n2026-04-28 00:57:36,235 [root] DEBUG: attempting to configure 'Human' from data\n2026-04-28 00:57:36,235 [root] DEBUG: module Human does not support data configuration, ignoring\n2026-04-28 00:57:36,235 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.human\"...\n2026-04-28 00:57:36,251 [root] DEBUG: Started auxiliary module modules.auxiliary.human\n2026-04-28 00:57:36,251 [root] DEBUG: Initialized auxiliary module \"Screenshots\"\n2026-04-28 00:57:36,251 [root] DEBUG: attempting to configure 'Screenshots' from data\n2026-04-28 00:57:36,251 [root] DEBUG: module Screenshots does not support data configuration, ignoring\n2026-04-28 00:57:36,251 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.screenshots\"...\n2026-04-28 00:57:36,298 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots\n2026-04-28 00:57:36,298 [root] DEBUG: Initialized auxiliary module \"TLSDumpMasterSecrets\"\n2026-04-28 00:57:36,298 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data\n2026-04-28 00:57:36,298 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring\n2026-04-28 00:57:36,313 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.tlsdump\"...\n2026-04-28 00:57:36,313 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 644\n2026-04-28 00:57:37,829 [lib.api.process] INFO: Monitor config for : C:\\drl3__ia\\dll\\644.ini\n2026-04-28 00:57:37,844 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor\n2026-04-28 00:57:37,860 [lib.api.process] INFO: 64-bit DLL to inject is C:\\drl3__ia\\dll\\EoqgWis.dll, loader C:\\drl3__ia\\bin\\jbmtltnx.exe\n2026-04-28 00:57:38,016 [root] DEBUG: Loader: Injecting process 644 with C:\\drl3__ia\\dll\\EoqgWis.dll.\n2026-04-28 00:57:38,329 [root] DEBUG: 644: Python path set to 'C:\\Python310'.\n2026-04-28 00:57:38,329 [root] DEBUG: 644: Disabling sleep skipping.\n2026-04-28 00:57:38,344 [root] DEBUG: 644: TLS secret dump mode enabled.\n2026-04-28 00:57:38,579 [root] DEBUG: 644: RtlInsertInvertedFunctionTable 0x00007FFEFE86090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEFE9BD500\n2026-04-28 00:57:38,610 [root] DEBUG: 644: Monitor initialised: 64-bit capemon loaded in process 644 at 0x00007FFEABE00000, thread 3868, image base 0x00007FF7C23E0000, stack from 0x0000008E4CA72000-0x0000008E4CA80000\n2026-04-28 00:57:38,610 [root] DEBUG: 644: Commandline: C:\\Windows\\system32\\lsass.exe\n2026-04-28 00:57:38,641 [root] DEBUG: 644: Hooked 5 out of 5 functions\n2026-04-28 00:57:38,688 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.\n2026-04-28 00:57:38,704 [root] DEBUG: Successfully injected DLL C:\\drl3__ia\\dll\\EoqgWis.dll.\n2026-04-28 00:58:05,516 [lib.api.process] INFO: Injected into 64-bit \n2026-04-28 00:58:05,532 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump\n2026-04-28 00:58:05,688 [root] DEBUG: 644: TLS 1.2 secrets logged to: C:\\XJKAvEz\\tlsdump\\tlsdump.log\n2026-04-28 00:58:12,641 [root] INFO: Restarting WMI Service\n2026-04-28 00:58:12,705 [root] DEBUG: package modules.packages.dll does not support configure, ignoring\n2026-04-28 00:58:12,705 [root] WARNING: configuration error for package modules.packages.dll: error importing data.packages.dll: No module named 'data.packages'\n2026-04-28 00:58:12,705 [lib.common.common] INFO: Submitted file is missing extension, adding .dll\n2026-04-28 00:58:12,705 [lib.core.compound] INFO: C:\\Users\\cape\\AppData\\Local\\Temp already exists, skipping creation\n2026-04-28 00:58:12,751 [lib.api.process] INFO: Successfully executed process from path \"C:\\Windows\\System32\\rundll32.exe\" with arguments \"\"C:\\Users\\cape\\AppData\\Local\\Temp\\01e3b18bd63981decb384f55.dll\",#1\" with pid 5804\n2026-04-28 00:58:12,751 [lib.api.process] INFO: Monitor config for : C:\\drl3__ia\\dll\\5804.ini\n2026-04-28 00:58:12,751 [lib.api.process] INFO: 32-bit DLL to inject is C:\\drl3__ia\\dll\\bcxciCVv.dll, loader C:\\drl3__ia\\bin\\SuLiCON.exe\n2026-04-28 00:58:12,891 [root] DEBUG: Loader: Injecting process 5804 (thread 5800) with C:\\drl3__ia\\dll\\bcxciCVv.dll.\n2026-04-28 00:58:12,923 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-04-28 00:58:12,923 [root] DEBUG: Successfully injected DLL C:\\drl3__ia\\dll\\bcxciCVv.dll.\n2026-04-28 00:58:12,938 [lib.api.process] INFO: Injected into 32-bit \n2026-04-28 00:58:14,954 [lib.api.process] INFO: Successfully resumed \n2026-04-28 00:58:15,844 [root] DEBUG: 5804: Python path set to 'C:\\Python310'.\n2026-04-28 00:58:15,891 [root] DEBUG: 5804: Disabling sleep skipping.\n2026-04-28 00:58:15,907 [root] DEBUG: 5804: Dropped file limit defaulting to 100.\n2026-04-28 00:58:15,985 [root] DEBUG: 5804: YaraInit: Compiled 44 rule files\n2026-04-28 00:58:16,001 [root] DEBUG: 5804: YaraInit: Compiled rules saved to file C:\\drl3__ia\\data\\yara\\capemon.yac\n2026-04-28 00:58:16,016 [root] DEBUG: 5804: YaraScan: Scanning 0x00BE0000, size 0x136e8\n2026-04-28 00:58:16,016 [root] DEBUG: 5804: Monitor initialised: 32-bit capemon loaded in process 5804 at 0x73bc0000, thread 5800, image base 0xbe0000, stack from 0x2e32000-0x2e40000\n2026-04-28 00:58:16,032 [root] DEBUG: 5804: Commandline: \"C:\\Windows\\System32\\rundll32.exe\" \"C:\\Users\\cape\\AppData\\Local\\Temp\\01e3b18bd63981decb384f55.dll\",#1\n2026-04-28 00:58:17,110 [root] DEBUG: 5804: Yara error: Scanning timed out\n2026-04-28 00:58:17,204 [root] DEBUG: 5804: hook_api: Warning - CreateProcessA export address 0x76AE2D90 differs from GetProcAddress -> 0x73F522A0 (AcLayers.DLL::0xfd4a22a0)\n2026-04-28 00:58:17,204 [root] DEBUG: 5804: hook_api: Warning - CreateProcessW export address 0x76AC88E0 differs from GetProcAddress -> 0x73F524E0 (AcLayers.DLL::0xfd4a24e0)\n2026-04-28 00:58:17,219 [root] DEBUG: 5804: hook_api: Warning - WinExec export address 0x76B0CF20 differs from GetProcAddress -> 0x73F527A0 (AcLayers.DLL::0xfd4a27a0)\n2026-04-28 00:58:17,657 [root] WARNING: b'Unable to place hook on GetCommandLineA'\n2026-04-28 00:58:17,657 [root] DEBUG: 5804: set_hooks: Unable to hook GetCommandLineA\n2026-04-28 00:58:17,673 [root] WARNING: b'Unable to place hook on GetCommandLineW'\n2026-04-28 00:58:17,673 [root] DEBUG: 5804: set_hooks: Unable to hook GetCommandLineW\n2026-04-28 00:58:18,813 [root] DEBUG: 5804: Hooked 630 out of 632 functions\n2026-04-28 00:58:18,829 [root] DEBUG: 5804: Syscall hook installed, syscall logging level 1\n2026-04-28 00:58:18,829 [root] DEBUG: 5804: RestoreHeaders: Restored original import table.\n2026-04-28 00:58:18,829 [root] INFO: Loaded monitor into process with pid 5804\n2026-04-28 00:58:18,845 [root] DEBUG: 5804: caller_dispatch: Added region at 0x00BE0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x00BE5F1A, thread 5800).\n2026-04-28 00:58:18,845 [root] DEBUG: 5804: YaraScan: Scanning 0x00BE0000, size 0x136e8\n2026-04-28 00:58:18,845 [root] DEBUG: 5804: ProcessImageBase: Main module image at 0x00BE0000 unmodified (entropy change 0.000000e+00)\n2026-04-28 00:58:19,188 [root] DEBUG: 5804: InstrumentationCallback: Added region at 0x76AD24AC (base 0x76AB0000) to tracked regions list (thread 5800).\n2026-04-28 00:58:19,204 [root] DEBUG: 5804: ProcessTrackedRegion: Region at 0x76AB0000 mapped as \\Device\\HarddiskVolume1\\Windows\\SysWOW64\\kernel32.dll is in known range, skipping\n2026-04-28 00:58:19,204 [root] DEBUG: 5804: Target DLL loaded at 0x05FD0000: C:\\Users\\cape\\AppData\\Local\\Temp\\01e3b18bd63981decb384f55 (0x1e000 bytes).\n2026-04-28 00:58:19,204 [root] DEBUG: 5804: YaraScan: Scanning 0x05FD0000, size 0x1f0\n2026-04-28 00:58:21,532 [root] DEBUG: 5804: InstrumentationCallback: Added region at 0x772833EC (base 0x77150000) to tracked regions list (thread 5800).\n2026-04-28 00:58:21,547 [root] DEBUG: 5804: ProcessTrackedRegion: Region at 0x77150000 mapped as \\Device\\HarddiskVolume1\\Windows\\SysWOW64\\KernelBase.dll is in known range, skipping\n2026-04-28 00:58:22,376 [root] DEBUG: 5804: DLL loaded at 0x73B20000: C:\\Windows\\SYSTEM32\\TextShaping (0x94000 bytes).\n2026-04-28 00:58:23,032 [root] DEBUG: 5804: DLL loaded at 0x745D0000: C:\\Windows\\system32\\uxtheme (0x74000 bytes).\n2026-04-28 00:58:23,251 [root] DEBUG: 5804: DLL loaded at 0x76BA0000: C:\\Windows\\System32\\MSCTF (0xd4000 bytes).\n2026-04-28 00:58:23,704 [root] DEBUG: 5804: set_hooks_by_export_directory: Hooked 0 out of 632 functions\n2026-04-28 00:58:23,719 [root] DEBUG: 5804: DLL loaded at 0x75250000: C:\\Windows\\SYSTEM32\\kernel.appcore (0xf000 bytes).\n2026-04-28 00:58:23,719 [root] DEBUG: 5804: DLL loaded at 0x76D80000: C:\\Windows\\System32\\bcryptPrimitives (0x5f000 bytes).\n2026-04-28 00:58:31,079 [root] DEBUG: 5804: DLL loaded at 0x73710000: C:\\Windows\\SYSTEM32\\ntmarta (0x29000 bytes).\n2026-04-28 00:58:31,095 [root] DEBUG: 5804: DLL loaded at 0x73740000: C:\\Windows\\System32\\CoreMessaging (0x9b000 bytes).\n2026-04-28 00:58:31,095 [root] DEBUG: 5804: DLL loaded at 0x73630000: C:\\Windows\\SYSTEM32\\wintypes (0xdb000 bytes).\n2026-04-28 00:58:31,095 [root] DEBUG: 5804: DLL loaded at 0x737E0000: C:\\Windows\\System32\\CoreUIComponents (0x27e000 bytes).\n2026-04-28 00:58:31,110 [root] DEBUG: 5804: DLL loaded at 0x73A60000: C:\\Windows\\SYSTEM32\\textinputframework (0xb9000 bytes).\n2026-04-28 01:00:15,239 [root] INFO: Analysis timeout hit, terminating analysis\n2026-04-28 01:00:15,239 [lib.api.process] INFO: Terminate event set for \n2026-04-28 01:00:15,239 [root] DEBUG: 5804: Terminate Event: Attempting to dump process 5804\n2026-04-28 01:00:15,239 [root] DEBUG: 5804: VerifyCodeSection: Executable code does not match, 0x153f6 of 0x153f7 matching\n2026-04-28 01:00:15,254 [root] DEBUG: 5804: DoProcessDump: Code modification detected, dumping Imagebase at 0x05FD0000.\n2026-04-28 01:00:15,254 [root] DEBUG: 5804: DumpImageInCurrentProcess: Attempting to dump virtual PE image.\n2026-04-28 01:00:15,254 [root] DEBUG: 5804: DumpProcess: Instantiating PeParser with address: 0x05FD0000.\n2026-04-28 01:00:15,270 [root] DEBUG: 5804: DumpProcess: Module entry point VA is 0x05FE73F2.\n2026-04-28 01:00:15,270 [root] DEBUG: 5804: PeParser: readPeSectionsFromProcess: readSectionFromProcess failed address 0x05FE8000, section 2\n2026-04-28 01:00:15,270 [root] DEBUG: 5804: PeParser: readPeSectionsFromProcess: readSectionFromProcess failed address 0x05FEA000, section 3\n2026-04-28 01:00:15,738 [lib.common.results] INFO: Uploading file C:\\XJKAvEz\\CAPE\\5804_251741502227142026 to procdump\\b7b4d47ba3fc76015fb8c7bb34b6d87f0458375f59d8e89b6a9569948044976b; Size is 88064; Max size: 100000000\n2026-04-28 01:00:15,738 [root] DEBUG: 5804: DumpProcess: Module image dump success - dump size 0x15800.\n2026-04-28 01:00:15,754 [lib.api.process] INFO: Termination confirmed for \n2026-04-28 01:00:15,754 [root] INFO: Terminate event set for process 5804\n2026-04-28 01:00:15,754 [root] INFO: Created shutdown mutex\n2026-04-28 01:00:15,754 [root] DEBUG: 5804: Terminate Event: monitor shutdown complete for process 5804\n2026-04-28 01:00:16,770 [root] INFO: Shutting down package\n2026-04-28 01:00:16,770 [root] INFO: Stopping auxiliary modules\n2026-04-28 01:00:16,770 [root] INFO: Stopping auxiliary module: Browser\n2026-04-28 01:00:16,770 [root] INFO: Stopping auxiliary module: Human\n2026-04-28 01:00:19,613 [root] INFO: Stopping auxiliary module: Screenshots\n2026-04-28 01:00:20,192 [root] INFO: Finishing auxiliary modules\n2026-04-28 01:00:20,192 [root] INFO: Shutting down pipe server and dumping dropped files\n2026-04-28 01:00:20,192 [root] WARNING: Folder at path \"C:\\XJKAvEz\\debugger\" does not exist, skipping\n2026-04-28 01:00:20,192 [root] INFO: Uploading files at path \"C:\\XJKAvEz\\tlsdump\"\n2026-04-28 01:00:20,192 [lib.common.results] INFO: Uploading file C:\\XJKAvEz\\tlsdump\\tlsdump.log to tlsdump\\tlsdump.log; Size is 21098; Max size: 100000000\n2026-04-28 01:00:20,207 [root] INFO: Analysis completed\n", "errors": [] }, "network": { "pcap_sha256": "ac6f02c7f619f6ff13b2f320819a677852226f7c511cdb1997edd057752a1afc", "hosts": [ { "ip": "46.149.110.67", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 80 ] }, { "ip": "72.154.7.16", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "72.154.7.108", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "72.154.7.100", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "72.154.7.105", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "72.154.7.102", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "72.154.7.98", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "72.154.7.101", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "72.154.7.107", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "72.154.7.109", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "13.107.6.156", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "84.47.178.41", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "20.165.94.54", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "150.171.27.11", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "209.85.233.94", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "i.pki.goog", "inaddrarpa": "", "ports": [ 80 ] }, { "ip": "20.42.65.93", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "84.47.178.56", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "84.47.178.49", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "52.123.242.97", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "4.207.247.139", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "20.189.173.2", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] } ], "domains": [ { "domain": "i.pki.goog", "ip": "209.85.233.94" } ], "tcp": [ { "src": "192.168.1.100", "sport": 49723, "dst": "20.189.173.2", "dport": 443, "offset": 24, "time": 0.0 }, { "src": "192.168.1.100", "sport": 49724, "dst": "20.189.173.2", "dport": 443, "offset": 95, "time": 0.9218289852142334 }, { "src": "192.168.1.100", "sport": 49809, "dst": "52.123.240.129", "dport": 443, "offset": 10524, "time": 4.120851993560791 }, { "src": "192.168.1.100", "sport": 49810, "dst": "13.107.253.44", "dport": 443, "offset": 25406, "time": 4.236391067504883 }, { "src": "192.168.1.100", "sport": 49812, "dst": "150.171.109.53", "dport": 443, "offset": 53828, "time": 4.398949146270752 }, { "src": "192.168.1.100", "sport": 49813, "dst": "84.47.178.49", "dport": 443, "offset": 64666, "time": 4.457405090332031 }, { "src": "192.168.1.100", "sport": 49815, "dst": "84.47.178.49", "dport": 443, "offset": 79801, "time": 4.7684900760650635 }, { "src": "192.168.1.100", "sport": 49718, "dst": "84.47.178.56", "dport": 443, "offset": 200168, "time": 4.82770299911499 }, { "src": "192.168.1.100", "sport": 49721, "dst": "8.8.8.8", "dport": 443, "offset": 315274, "time": 5.202517986297607 }, { "src": "192.168.1.100", "sport": 49819, "dst": "93.191.15.200", "dport": 443, "offset": 317599, "time": 5.281634092330933 }, { "src": "192.168.1.100", "sport": 49821, "dst": "8.8.8.8", "dport": 443, "offset": 363716, "time": 6.379698038101196 }, { "src": "192.168.1.100", "sport": 49822, "dst": "209.85.233.94", "dport": 80, "offset": 365757, "time": 6.39511513710022 }, { "src": "192.168.1.100", "sport": 49824, "dst": "93.191.15.202", "dport": 80, "offset": 394244, "time": 6.685088157653809 }, { "src": "192.168.1.100", "sport": 49728, "dst": "150.171.27.11", "dport": 443, "offset": 395854, "time": 6.693181037902832 }, { "src": "192.168.1.100", "sport": 49825, "dst": "150.171.27.11", "dport": 443, "offset": 398311, "time": 6.741365194320679 }, { "src": "192.168.1.100", "sport": 49829, "dst": "20.42.65.93", "dport": 443, "offset": 414602, "time": 7.98950719833374 }, { "src": "192.168.1.100", "sport": 49833, "dst": "40.126.53.14", "dport": 443, "offset": 436707, "time": 25.851638078689575 }, { "src": "192.168.1.100", "sport": 49835, "dst": "23.197.162.102", "dport": 80, "offset": 446464, "time": 35.33199214935303 }, { "src": "192.168.1.100", "sport": 49838, "dst": "23.11.41.157", "dport": 80, "offset": 449869, "time": 35.563151121139526 }, { "src": "192.168.1.100", "sport": 49843, "dst": "20.190.147.9", "dport": 443, "offset": 490148, "time": 36.79307198524475 }, { "src": "192.168.1.100", "sport": 49845, "dst": "20.190.147.9", "dport": 443, "offset": 491022, "time": 36.79485011100769 }, { "src": "192.168.1.100", "sport": 49848, "dst": "20.190.147.9", "dport": 443, "offset": 491776, "time": 36.79724597930908 }, { "src": "192.168.1.100", "sport": 49846, "dst": "20.190.147.9", "dport": 443, "offset": 492378, "time": 36.798933029174805 }, { "src": "192.168.1.100", "sport": 49850, "dst": "20.190.147.9", "dport": 443, "offset": 668178, "time": 37.23841905593872 }, { "src": "192.168.1.100", "sport": 49849, "dst": "20.42.73.31", "dport": 443, "offset": 674131, "time": 37.312435150146484 }, { "src": "192.168.1.100", "sport": 49858, "dst": "52.123.129.14", "dport": 443, "offset": 830209, "time": 37.666049003601074 }, { "src": "192.168.1.100", "sport": 49856, "dst": "20.165.94.54", "dport": 443, "offset": 843220, "time": 37.763832092285156 }, { "src": "192.168.1.100", "sport": 49859, "dst": "13.71.55.58", "dport": 443, "offset": 854655, "time": 37.82311010360718 }, { "src": "192.168.1.100", "sport": 49861, "dst": "74.179.77.204", "dport": 443, "offset": 885310, "time": 38.09485602378845 }, { "src": "192.168.1.100", "sport": 49864, "dst": "13.71.55.58", "dport": 443, "offset": 918862, "time": 38.58627104759216 }, { "src": "192.168.1.100", "sport": 49866, "dst": "135.236.137.174", "dport": 443, "offset": 992615, "time": 38.97344398498535 }, { "src": "192.168.1.100", "sport": 49867, "dst": "74.179.77.204", "dport": 443, "offset": 1376781, "time": 39.26930809020996 }, { "src": "192.168.1.100", "sport": 49710, "dst": "84.47.178.41", "dport": 443, "offset": 1779137, "time": 39.715599060058594 }, { "src": "192.168.1.100", "sport": 49716, "dst": "84.47.178.56", "dport": 443, "offset": 1779828, "time": 39.79368710517883 }, { "src": "192.168.1.100", "sport": 49872, "dst": "8.8.8.8", "dport": 443, "offset": 1831753, "time": 40.39353609085083 }, { "src": "192.168.1.100", "sport": 49720, "dst": "8.8.4.4", "dport": 443, "offset": 1850209, "time": 40.98150610923767 }, { "src": "192.168.1.100", "sport": 49708, "dst": "13.107.6.156", "dport": 443, "offset": 1850350, "time": 41.01283001899719 }, { "src": "192.168.1.100", "sport": 49874, "dst": "20.42.73.31", "dport": 443, "offset": 1852310, "time": 41.67163610458374 }, { "src": "192.168.1.100", "sport": 49712, "dst": "84.47.178.41", "dport": 443, "offset": 1897688, "time": 42.199740171432495 }, { "src": "192.168.1.100", "sport": 49883, "dst": "13.69.109.130", "dport": 443, "offset": 20875453, "time": 46.28571701049805 }, { "src": "192.168.1.100", "sport": 49889, "dst": "52.168.112.66", "dport": 443, "offset": 93970158, "time": 52.03688311576843 }, { "src": "192.168.1.100", "sport": 49892, "dst": "13.71.55.58", "dport": 443, "offset": 108161944, "time": 53.15231919288635 }, { "src": "192.168.1.100", "sport": 49897, "dst": "52.167.249.196", "dport": 443, "offset": 115620405, "time": 63.46939301490784 }, { "src": "192.168.1.100", "sport": 49898, "dst": "52.167.249.196", "dport": 443, "offset": 115632701, "time": 64.53795504570007 }, { "src": "192.168.1.100", "sport": 49901, "dst": "52.167.249.196", "dport": 443, "offset": 115648996, "time": 65.31756520271301 }, { "src": "192.168.1.100", "sport": 49905, "dst": "204.79.197.203", "dport": 80, "offset": 115658238, "time": 65.98133897781372 }, { "src": "192.168.1.100", "sport": 49907, "dst": "52.167.249.196", "dport": 443, "offset": 115674157, "time": 66.73508405685425 }, { "src": "192.168.1.100", "sport": 49910, "dst": "150.171.109.53", "dport": 443, "offset": 115689792, "time": 71.90145015716553 }, { "src": "192.168.1.100", "sport": 49913, "dst": "2.23.88.9", "dport": 443, "offset": 116284533, "time": 87.43231320381165 }, { "src": "192.168.1.100", "sport": 49914, "dst": "23.11.41.157", "dport": 80, "offset": 116291362, "time": 87.53953099250793 }, { "src": "192.168.1.100", "sport": 49917, "dst": "135.232.92.34", "dport": 443, "offset": 117148287, "time": 92.94330215454102 }, { "src": "192.168.1.100", "sport": 49919, "dst": "2.23.89.205", "dport": 443, "offset": 117174950, "time": 93.8282401561737 }, { "src": "192.168.1.100", "sport": 49925, "dst": "4.207.247.139", "dport": 443, "offset": 119046714, "time": 103.0868091583252 }, { "src": "192.168.1.100", "sport": 49929, "dst": "4.207.247.139", "dport": 443, "offset": 119059394, "time": 113.5536720752716 }, { "src": "192.168.1.100", "sport": 49932, "dst": "204.79.197.203", "dport": 80, "offset": 119076922, "time": 131.40412497520447 }, { "src": "192.168.1.100", "sport": 49934, "dst": "93.191.15.161", "dport": 80, "offset": 119081626, "time": 145.4842541217804 }, { "src": "192.168.1.100", "sport": 49936, "dst": "72.154.7.107", "dport": 443, "offset": 120906823, "time": 145.93215918540955 }, { "src": "192.168.1.100", "sport": 49938, "dst": "72.154.7.17", "dport": 443, "offset": 120907711, "time": 145.9463541507721 }, { "src": "192.168.1.100", "sport": 49940, "dst": "2.23.90.38", "dport": 443, "offset": 120930803, "time": 146.8934190273285 }, { "src": "192.168.1.100", "sport": 49942, "dst": "2.23.90.38", "dport": 443, "offset": 120961644, "time": 147.16107416152954 }, { "src": "192.168.1.100", "sport": 49944, "dst": "52.123.245.106", "dport": 443, "offset": 120988190, "time": 148.64125108718872 } ], "udp": [ { "src": "192.168.1.100", "sport": 59524, "dst": "8.8.8.8", "dport": 53, "offset": 26303, "time": 4.255674123764038 }, { "src": "192.168.1.100", "sport": 55821, "dst": "8.8.8.8", "dport": 53, "offset": 312439, "time": 4.957129001617432 }, { "src": "192.168.1.100", "sport": 49974, "dst": "8.8.8.8", "dport": 53, "offset": 316570, "time": 5.248691082000732 }, { "src": "192.168.1.100", "sport": 64562, "dst": "8.8.8.8", "dport": 53, "offset": 362825, "time": 6.356151103973389 }, { "src": "192.168.1.100", "sport": 64901, "dst": "8.8.8.8", "dport": 53, "offset": 392888, "time": 6.615995168685913 }, { "src": "192.168.1.100", "sport": 138, "dst": "192.168.1.255", "dport": 138, "offset": 441314, "time": 31.650252103805542 }, { "src": "192.168.1.100", "sport": 60956, "dst": "8.8.8.8", "dport": 53, "offset": 441670, "time": 35.185585021972656 }, { "src": "192.168.1.100", "sport": 61376, "dst": "8.8.8.8", "dport": 53, "offset": 449224, "time": 35.482913970947266 }, { "src": "192.168.1.100", "sport": 49855, "dst": "8.8.8.8", "dport": 53, "offset": 482968, "time": 36.68840217590332 }, { "src": "192.168.1.100", "sport": 50298, "dst": "8.8.8.8", "dport": 53, "offset": 666938, "time": 37.184638023376465 }, { "src": "192.168.1.100", "sport": 55130, "dst": "8.8.8.8", "dport": 53, "offset": 813857, "time": 37.59945201873779 }, { "src": "192.168.1.100", "sport": 53423, "dst": "8.8.8.8", "dport": 53, "offset": 915425, "time": 38.43237113952637 }, { "src": "192.168.1.100", "sport": 51093, "dst": "8.8.8.8", "dport": 53, "offset": 1827429, "time": 40.341400146484375 }, { "src": "192.168.1.100", "sport": 56679, "dst": "8.8.8.8", "dport": 53, "offset": 60599686, "time": 49.41249918937683 }, { "src": "192.168.1.100", "sport": 55713, "dst": "8.8.8.8", "dport": 53, "offset": 115612032, "time": 62.568987131118774 }, { "src": "192.168.1.100", "sport": 56925, "dst": "8.8.8.8", "dport": 53, "offset": 115641096, "time": 65.07557320594788 }, { "src": "192.168.1.100", "sport": 55858, "dst": "8.8.8.8", "dport": 53, "offset": 115689210, "time": 71.8176121711731 }, { "src": "192.168.1.100", "sport": 53236, "dst": "8.8.8.8", "dport": 53, "offset": 117025010, "time": 92.03201198577881 }, { "src": "192.168.1.100", "sport": 52041, "dst": "8.8.8.8", "dport": 53, "offset": 117148197, "time": 92.94028210639954 }, { "src": "192.168.1.100", "sport": 52484, "dst": "8.8.8.8", "dport": 53, "offset": 117467422, "time": 94.1269850730896 }, { "src": "192.168.1.100", "sport": 59356, "dst": "8.8.8.8", "dport": 53, "offset": 119075187, "time": 129.09310817718506 }, { "src": "192.168.1.100", "sport": 55919, "dst": "8.8.8.8", "dport": 53, "offset": 120905547, "time": 145.72829604148865 }, { "src": "192.168.1.100", "sport": 49631, "dst": "8.8.8.8", "dport": 53, "offset": 120906136, "time": 145.75321316719055 }, { "src": "192.168.1.100", "sport": 50740, "dst": "8.8.4.4", "dport": 53, "offset": 120929991, "time": 146.85256814956665 }, { "src": "192.168.1.100", "sport": 61783, "dst": "8.8.4.4", "dport": 53, "offset": 120986598, "time": 148.60165905952454 } ], "icmp": [ { "src": "192.168.1.100", "dst": "8.8.4.4", "type": 3, "data": "" } ], "http": [ { "count": 2, "host": "i.pki.goog", "port": 80, "data": "GET /gsr1.crt HTTP/1.1\r\nHost: i.pki.goog\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0\r\nAccept-Encoding: gzip, deflate\r\n\r\n", "uri": "http://i.pki.goog/gsr1.crt", "body": "", "path": "/gsr1.crt", "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0", "version": "1.1", "method": "GET", "first_seen": 1777337861.692311 }, { "count": 2, "host": "i.pki.goog", "port": 80, "data": "GET /r4.crt HTTP/1.1\r\nHost: i.pki.goog\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0\r\nAccept-Encoding: gzip, deflate\r\n\r\n", "uri": "http://i.pki.goog/r4.crt", "body": "", "path": "/r4.crt", "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0", "version": "1.1", "method": "GET", "first_seen": 1777337861.715545 }, { "count": 2, "host": "i.pki.goog", "port": 80, "data": "GET /we2.crt HTTP/1.1\r\nHost: i.pki.goog\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0\r\nAccept-Encoding: gzip, deflate\r\n\r\n", "uri": "http://i.pki.goog/we2.crt", "body": "", "path": "/we2.crt", "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0", "version": "1.1", "method": "GET", "first_seen": 1777337861.736433 }, { "count": 2, "host": "i.pki.goog", "port": 80, "data": "GET /gsr4.crt HTTP/1.1\r\nHost: i.pki.goog\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0\r\nAccept-Encoding: gzip, deflate\r\n\r\n", "uri": "http://i.pki.goog/gsr4.crt", "body": "", "path": "/gsr4.crt", "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0", "version": "1.1", "method": "GET", "first_seen": 1777337861.759884 } ], "dns": [ { "request": "i.pki.goog", "type": "A", "answers": [ { "type": "CNAME", "data": "pki-goog.l.google.com" }, { "type": "A", "data": "209.85.233.94" } ], "first_seen": 1777337861.653653 } ], "smtp": [], "irc": [], "dead_hosts": [ [ "52.123.242.97", 443 ], [ "72.154.7.109", 443 ], [ "72.154.7.98", 443 ], [ "72.154.7.101", 443 ], [ "72.154.7.102", 443 ], [ "72.154.7.105", 443 ], [ "72.154.7.100", 443 ], [ "72.154.7.108", 443 ], [ "72.154.7.16", 443 ], [ "46.149.110.67", 80 ] ] }, "suricata": { "alerts": [], "tls": [ { "srcport": 49821, "srcip": "192.168.1.100", "dstport": 443, "dstip": "8.8.8.8", "timestamp": "2026-04-28 00:57:41.699601+0000", "version": "TLS 1.3", "sni": "dns.google", "ja3": { "hash": "87c36e0efdb847c153954b9f4778e764", "string": "771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,45-13-43-51-23-0-65037-65281-5-27-10-11-35-18-16-17613,4588-29-23-24,0" }, "ja3s": { "hash": "eb1d94daa7e0344597e756a1fb6e7054", "string": "771,4865,51-43" } }, { "srcport": 49823, "srcip": "192.168.1.100", "dstport": 443, "dstip": "8.8.8.8", "timestamp": "2026-04-28 00:57:41.911958+0000", "version": "TLS 1.3", "sni": "dns.google", "ja3": { "hash": "eca10cbdddc3be37612b1d322437c105", "string": "771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,51-23-5-45-27-65281-0-35-16-65037-43-10-17613-13-18-11,4588-29-23-24,0" }, "ja3s": { "hash": "eb1d94daa7e0344597e756a1fb6e7054", "string": "771,4865,51-43" } }, { "srcport": 49872, "srcip": "192.168.1.100", "dstport": 443, "dstip": "8.8.8.8", "timestamp": "2026-04-28 00:58:15.706817+0000", "version": "TLS 1.3", "sni": "dns.google", "ja3": { "hash": "00cf290bd02b8f31a70af6a46e70e981", "string": "771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,18-10-16-17613-11-65037-13-0-51-5-27-43-45-23-35-65281,4588-29-23-24,0" }, "ja3s": { "hash": "eb1d94daa7e0344597e756a1fb6e7054", "string": "771,4865,51-43" } } ], "perf": [], "files": [], "http": [ { "srcport": 49822, "srcip": "192.168.1.100", "dstport": 80, "dstip": "209.85.233.94", "timestamp": "2026-04-28 00:57:41.711477+0000", "uri": "/gsr1.crt", "length": 797, "hostname": "i.pki.goog", "status": 200, "http_method": "GET", "contenttype": "application/pkix-cert", "ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0", "referrer": null }, { "srcport": 49822, "srcip": "192.168.1.100", "dstport": 80, "dstip": "209.85.233.94", "timestamp": "2026-04-28 00:57:41.736433+0000", "uri": "/r4.crt", "length": 455, "hostname": "i.pki.goog", "status": 200, "http_method": "GET", "contenttype": "application/pkix-cert", "ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0", "referrer": null }, { "srcport": 49822, "srcip": "192.168.1.100", "dstport": 80, "dstip": "209.85.233.94", "timestamp": "2026-04-28 00:57:41.759884+0000", "uri": "/we2.crt", "length": 582, "hostname": "i.pki.goog", "status": 200, "http_method": "GET", "contenttype": "application/pkix-cert", "ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0", "referrer": null }, { "srcport": 49822, "srcip": "192.168.1.100", "dstport": 80, "dstip": "209.85.233.94", "timestamp": "2026-04-28 00:57:41.787638+0000", "uri": "/gsr4.crt", "length": 480, "hostname": "i.pki.goog", "status": 200, "http_method": "GET", "contenttype": "application/pkix-cert", "ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0", "referrer": null }, { "srcport": 49822, "srcip": "192.168.1.100", "dstport": 80, "dstip": "209.85.233.94", "timestamp": "2026-04-28 00:57:41.806047+0000", "uri": "/gsr1.crt", "length": 797, "hostname": "i.pki.goog", "status": 200, "http_method": "GET", "contenttype": "application/pkix-cert", "ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0", "referrer": null }, { "srcport": 49822, "srcip": "192.168.1.100", "dstport": 80, "dstip": "209.85.233.94", "timestamp": "2026-04-28 00:57:41.829925+0000", "uri": "/r4.crt", "length": 455, "hostname": "i.pki.goog", "status": 200, "http_method": "GET", "contenttype": "application/pkix-cert", "ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0", "referrer": null }, { "srcport": 49822, "srcip": "192.168.1.100", "dstport": 80, "dstip": "209.85.233.94", "timestamp": "2026-04-28 00:57:41.852765+0000", "uri": "/we2.crt", "length": 582, "hostname": "i.pki.goog", "status": 200, "http_method": "GET", "contenttype": "application/pkix-cert", "ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0", "referrer": null }, { "srcport": 49822, "srcip": "192.168.1.100", "dstport": 80, "dstip": "209.85.233.94", "timestamp": "2026-04-28 00:57:41.921499+0000", "uri": "/gsr4.crt", "length": 480, "hostname": "i.pki.goog", "status": 200, "http_method": "GET", "contenttype": "application/pkix-cert", "ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0", "referrer": null } ], "dns": [ { "timestamp": "2026-04-28T00:57:41.653347+0000", "flow_id": 1680207172465105, "pcap_cnt": 503, "event_type": "dns", "src_ip": "192.168.1.100", "src_port": 64562, "dest_ip": "8.8.8.8", "dest_port": 53, "proto": "UDP", "pkt_src": "wire/pcap", "dns": { "version": 2, "type": "query", "id": 30694, "rrname": "i.pki.goog", "rrtype": "HTTPS", "tx_id": 0, "opcode": 0 } }, { "timestamp": "2026-04-28T00:57:41.653653+0000", "flow_id": 1681522164200499, "pcap_cnt": 504, "event_type": "dns", "src_ip": "192.168.1.100", "src_port": 64724, "dest_ip": "8.8.8.8", "dest_port": 53, "proto": "UDP", "pkt_src": "wire/pcap", "dns": { "version": 2, "type": "query", "id": 51226, "rrname": "i.pki.goog", "rrtype": "A", "tx_id": 0, "opcode": 0 } }, { "timestamp": "2026-04-28T00:57:41.672666+0000", "flow_id": 1680207172465105, "pcap_cnt": 508, "event_type": "dns", "src_ip": "192.168.1.100", "src_port": 64562, "dest_ip": "8.8.8.8", "dest_port": 53, "proto": "UDP", "pkt_src": "wire/pcap", "dns": { "version": 2, "type": "answer", "id": 30694, "flags": "8180", "qr": true, "rd": true, "ra": true, "opcode": 0, "rrname": "i.pki.goog", "rrtype": "HTTPS", "rcode": "NOERROR", "answers": [ { "rrname": "i.pki.goog", "rrtype": "CNAME", "ttl": 56, "rdata": "pki-goog.l.google.com" } ], "grouped": { "CNAME": [ "pki-goog.l.google.com" ] }, "authorities": [ { "rrname": "l.google.com", "rrtype": "SOA", "ttl": 60, "soa": { "mname": "ns1.google.com", "rname": "dns-admin.google.com", "serial": 906246128, "refresh": 900, "retry": 900, "expire": 1800, "minimum": 60 } } ] } }, { "timestamp": "2026-04-28T00:57:41.669113+0000", "flow_id": 1681522164200499, "pcap_cnt": 506, "event_type": "dns", "src_ip": "192.168.1.100", "src_port": 64724, "dest_ip": "8.8.8.8", "dest_port": 53, "proto": "UDP", "pkt_src": "wire/pcap", "dns": { "version": 2, "type": "answer", "id": 51226, "flags": "8180", "qr": true, "rd": true, "ra": true, "opcode": 0, "rrname": "i.pki.goog", "rrtype": "A", "rcode": "NOERROR", "answers": [ { "rrname": "i.pki.goog", "rrtype": "CNAME", "ttl": 218, "rdata": "pki-goog.l.google.com" }, { "rrname": "pki-goog.l.google.com", "rrtype": "A", "ttl": 300, "rdata": "209.85.233.94" } ], "grouped": { "CNAME": [ "pki-goog.l.google.com" ], "A": [ "209.85.233.94" ] } } } ], "ssh": [], "fileinfo": [], "eve_log_full_path": "/opt/CAPEv2/storage/analyses/49/logs/eve.json", "alert_log_full_path": null, "tls_log_full_path": null, "http_log_full_path": null, "file_log_full_path": null, "ssh_log_full_path": null, "dns_log_full_path": null }, "url_analysis": {}, "procmemory": [], "signatures": [ { "name": "stealth_network", "description": "Network activity detected but not expressed in monitor API logs", "categories": [ "stealth" ], "severity": 1, "weight": 1, "confidence": 100, "references": [], "data": [ { "ip": "46.149.110.67" }, { "ip": "72.154.7.16" }, { "ip": "72.154.7.108" }, { "ip": "72.154.7.100" }, { "ip": "72.154.7.105" }, { "ip": "72.154.7.102" }, { "ip": "72.154.7.98" }, { "ip": "72.154.7.101" }, { "ip": "72.154.7.107" }, { "ip": "72.154.7.109" }, { "ip": "13.107.6.156" }, { "ip": "84.47.178.41" }, { "ip": "20.165.94.54" }, { "ip": "150.171.27.11" }, { "ip": "209.85.233.94" }, { "ip": "20.42.65.93" }, { "ip": "84.47.178.56" }, { "ip": "84.47.178.49" }, { "ip": "52.123.242.97" }, { "ip": "4.207.247.139" }, { "ip": "20.189.173.2" }, { "domain": "i.pki.goog" } ], "new_data": [], "alert": false, "families": [] }, { "name": "network_http", "description": "Performs some HTTP requests", "categories": [ "network" ], "severity": 2, "weight": 1, "confidence": 30, "references": [], "data": [ { "url": "http://i.pki.goog/gsr1.crt" }, { "url": "http://i.pki.goog/r4.crt" }, { "url": "http://i.pki.goog/we2.crt" }, { "url": "http://i.pki.goog/gsr4.crt" } ], "new_data": [], "alert": false, "families": [] }, { "name": "packer_entropy", "description": "The binary likely contains encrypted or compressed data", "categories": [ "packer" ], "severity": 2, "weight": 1, "confidence": 100, "references": [ "http://www.forensickb.com/2013/03/file-entropy-explained.html", "http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf" ], "data": [ { "section": { "name": ".text", "raw_address": "0x00000200", "virtual_address": "0x00002000", "virtual_size": "0x000153f8", "size_of_data": "0x00015400", "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x60000020", "entropy": "6.94" } } ], "new_data": [], "alert": false, "families": [] }, { "name": "binary_yara", "description": "Binary file triggered multiple YARA rules", "categories": [ "static" ], "severity": 3, "weight": 1, "confidence": 80, "references": [], "data": [ { "Binary triggered YARA rule": "DITEKSHEN_MALWARE_Win_Nanocore" }, { "Binary triggered YARA rule": "Windows_Trojan_Nanocore_d8c4e3c5" }, { "Binary triggered YARA rule": "Nanocore_RAT_Gen_2" }, { "Binary triggered YARA rule": "NETDLLMicrosoft" }, { "Binary triggered YARA rule": "IsPE32" }, { "Binary triggered YARA rule": "IsNET_DLL" }, { "Binary triggered YARA rule": "IsDLL" }, { "Binary triggered YARA rule": "IsConsole" } ], "new_data": [], "alert": false, "families": [] }, { "name": "procmem_yara", "description": "Yara detections observed in process dumps, payloads or dropped files", "categories": [ "malware" ], "severity": 3, "weight": 4, "confidence": 100, "references": [], "data": [ { "Hit": "PID 5804 triggered the Yara rule 'DITEKSHEN_MALWARE_Win_Nanocore' with data '['NanoCore.ClientPlugin', 'NanoCore.ClientPluginHost', 'IClientData', 'IClientNetwork', 'IClientDataHost', 'IClientLoggingHost', 'IClientNetworkHost', 'IClientUIHost', 'IClientNameObjectCollection', 'IClientReadOnlyNameObjectCollection', 'ClientPlugin', 'get_ClientSettings']'" }, { "Hit": "PID 5804 triggered the Yara rule 'Windows_Trojan_Nanocore_d8c4e3c5' with data '['NanoCore.ClientPluginHost', 'NanoCore.ClientPlugin', 'get_BuilderSettings', 'LogClientException', 'IClientLoggingHost']'" }, { "Hit": "PID 5804 triggered the Yara rule 'Nanocore_RAT_Gen_2' with data '['NanoCore.ClientPluginHost', 'IClientNetworkHost']'" }, { "Hit": "PID 5804 triggered the Yara rule 'NETDLLMicrosoft' with data '['{ 00 00 00 00 00 00 00 00 5F 43 6F 72 44 6C 6C 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C 00 00 00 00 00 FF 25 }']'" }, { "Hit": "PID 5804 triggered the Yara rule 'IsPE32' with data '[]'" }, { "Hit": "PID 5804 triggered the Yara rule 'IsNET_DLL' with data '[]'" }, { "Hit": "PID 5804 triggered the Yara rule 'IsDLL' with data '[]'" }, { "Hit": "PID 5804 triggered the Yara rule 'IsConsole' with data '[]'" } ], "new_data": [], "alert": false, "families": [] } ], "malscore": 8.0, "ttps": [ { "signature": "stealth_network", "ttps": [ "T1071" ], "mbcs": [ "OC0006", "C0002", "OC0006", "C0002", "OC0006", "C0002" ] }, { "signature": "binary_yara", "ttps": [ "T1071" ], "mbcs": [ "OC0006", "C0002", "OC0006", "C0002", "OC0006", "C0002" ] }, { "signature": "network_http", "ttps": [ "T1071" ], "mbcs": [ "OC0006", "C0002" ] }, { "signature": "packer_entropy", "ttps": [ "T1027.002", "T1027" ], "mbcs": [ "OB0001", "OB0002", "OB0006", "F0001" ] }, { "signature": "procmem_yara", "ttps": [ "T1071" ], "mbcs": [ "OC0006", "C0002", "OC0006", "C0002", "OC0006", "C0002" ] } ], "malstatus": "Malicious" }