Analysis

Category Package Started Completed Duration Options Log
FILE Extraction 2019-09-11 14:24:00 2019-09-11 14:24:38 38 seconds Show Options Show Log
route = internet
procdump = 0
2019-09-11 15:24:04,000 [root] INFO: Date set to: 09-11-19, time set to: 14:24:04, timeout set to: 200
2019-09-11 15:24:04,015 [root] DEBUG: Starting analyzer from: C:\jzetbvvac
2019-09-11 15:24:04,015 [root] DEBUG: Storing results at: C:\AhuoFy
2019-09-11 15:24:04,015 [root] DEBUG: Pipe server name: \\.\PIPE\RxJaMNKofU
2019-09-11 15:24:04,015 [root] INFO: Analysis package "Extraction" has been specified.
2019-09-11 15:24:04,374 [root] DEBUG: Started auxiliary module Browser
2019-09-11 15:24:04,390 [root] DEBUG: Started auxiliary module Curtain
2019-09-11 15:24:04,390 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-09-11 15:24:04,608 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-09-11 15:24:04,608 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-09-11 15:24:04,608 [root] DEBUG: Started auxiliary module DigiSig
2019-09-11 15:24:04,608 [root] DEBUG: Started auxiliary module Disguise
2019-09-11 15:24:04,624 [root] DEBUG: Started auxiliary module Human
2019-09-11 15:24:04,624 [root] DEBUG: Started auxiliary module Screenshots
2019-09-11 15:24:04,624 [root] DEBUG: Started auxiliary module Sysmon
2019-09-11 15:24:04,624 [root] DEBUG: Started auxiliary module Usage
2019-09-11 15:24:04,624 [root] INFO: Analyzer: DLL set to Extraction.dll from package modules.packages.Extraction
2019-09-11 15:24:04,624 [root] INFO: Analyzer: DLL_64 set to Extraction_x64.dll from package modules.packages.Extraction
2019-09-11 15:24:04,638 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\NEW_ORDE.EXE" with arguments "" with pid 1308
2019-09-11 15:24:04,654 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-09-11 15:24:04,654 [lib.api.process] INFO: 32-bit DLL to inject is C:\jzetbvvac\dll\XjWObPj.dll, loader C:\jzetbvvac\bin\UTWvXmA.exe
2019-09-11 15:24:04,747 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\RxJaMNKofU.
2019-09-11 15:24:04,747 [root] DEBUG: Loader: Injecting process 1308 (thread 884) with C:\jzetbvvac\dll\XjWObPj.dll.
2019-09-11 15:24:04,747 [root] DEBUG: Process image base: 0x00260000
2019-09-11 15:24:04,747 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2019-09-11 15:24:04,747 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2019-09-11 15:24:04,763 [root] DEBUG: Successfully injected DLL C:\jzetbvvac\dll\XjWObPj.dll.
2019-09-11 15:24:04,763 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1308
2019-09-11 15:24:06,776 [lib.api.process] INFO: Successfully resumed process with pid 1308
2019-09-11 15:24:06,776 [root] INFO: Added new process to list with pid: 1308
2019-09-11 15:24:06,808 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-09-11 15:24:06,808 [root] DEBUG: Process dumps disabled.
2019-09-11 15:24:06,854 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2019-09-11 15:24:06,869 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x100000
2019-09-11 15:24:06,869 [root] DEBUG: Debugger initialised.
2019-09-11 15:24:06,869 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 1308 at 0x74480000, image base 0x260000, stack from 0x216000-0x220000
2019-09-11 15:24:06,869 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\NEW_ORDE.EXE".
2019-09-11 15:24:06,869 [root] DEBUG: set_caller_info: Adding region at 0x00070000 to caller regions list.
2019-09-11 15:24:06,869 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x1854 in capemon caught accessing 0x261000 (expected in memory scans), passing to next handler.
2019-09-11 15:24:06,869 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x00261000
2019-09-11 15:24:06,869 [root] DEBUG: AddTrackedRegion: GetEntropy failed.
2019-09-11 15:24:06,869 [root] DEBUG: AddTrackedRegion: Region at 0x00260000 size 0x1000 added to tracked regions.
2019-09-11 15:24:06,869 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2019-09-11 15:24:06,869 [root] INFO: Monitor successfully loaded in process with pid 1308.
2019-09-11 15:24:06,869 [root] DEBUG: set_caller_info: Calling address 0x0021F848 in stack (advapi32::RegQueryInfoKeyW)
2019-09-11 15:24:06,885 [root] DEBUG: set_caller_info: Adding region at 0x00120000 to caller regions list.
2019-09-11 15:24:06,885 [root] DEBUG: set_caller_info: Adding region at 0x020F0000 to caller regions list.
2019-09-11 15:24:06,885 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7b000 bytes).
2019-09-11 15:24:06,885 [root] DEBUG: Allocation: 0x00400000 - 0x00480000, size: 0x80000, protection: 0x40.
2019-09-11 15:24:06,885 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x00261000
2019-09-11 15:24:06,885 [root] DEBUG: AddTrackedRegion: Region at 0x00400000 size 0x80000 added to tracked regions.
2019-09-11 15:24:06,885 [root] DEBUG: AllocationHandler: Memory reserved but not committed at 0x00400000.
2019-09-11 15:24:06,885 [root] DEBUG: FreeHandler: Address: 0x00400000.
2019-09-11 15:24:06,885 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x400000 - 0x480000.
2019-09-11 15:24:06,885 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x24eeb20, AllocationBase 0x260000.
2019-09-11 15:24:06,885 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x24eebc8, AllocationBase 0x400000.
2019-09-11 15:24:06,885 [root] DEBUG: DropTrackedRegion: removed pages 0x400000-0x480000 from tracked region list.
2019-09-11 15:24:06,885 [root] DEBUG: Allocation: 0x00440000 - 0x00441000, size: 0x1000, protection: 0x40.
2019-09-11 15:24:06,885 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x00261000
2019-09-11 15:24:06,885 [root] DEBUG: AddTrackedRegion: Region at 0x00440000 size 0x1000 added to tracked regions.
2019-09-11 15:24:06,901 [root] DEBUG: DLL loaded at 0x73DE0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x69b000 bytes).
2019-09-11 15:24:06,901 [root] DEBUG: DLL loaded at 0x73D00000: C:\Windows\system32\MSVCR110_CLR0400 (0xd3000 bytes).
2019-09-11 15:24:06,901 [root] INFO: Disabling sleep skipping.
2019-09-11 15:24:06,901 [root] DEBUG: Allocation: 0x03A00000 - 0x03C00000, size: 0x200000, protection: 0x40.
2019-09-11 15:24:06,901 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x00261000
2019-09-11 15:24:06,901 [root] DEBUG: AddTrackedRegion: Region at 0x03A00000 size 0x200000 added to tracked regions.
2019-09-11 15:24:06,901 [root] DEBUG: AllocationHandler: Memory reserved but not committed at 0x03A00000.
2019-09-11 15:24:06,901 [root] DEBUG: FreeHandler: Address: 0x03A00000.
2019-09-11 15:24:06,901 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3a00000 - 0x3c00000.
2019-09-11 15:24:06,901 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x24eeb20, AllocationBase 0x260000.
2019-09-11 15:24:06,901 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x24efdc8, AllocationBase 0x440000.
2019-09-11 15:24:06,901 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x24eebc8, AllocationBase 0x3a00000.
2019-09-11 15:24:06,901 [root] DEBUG: DropTrackedRegion: removed pages 0x3a00000-0x3c00000 from tracked region list.
2019-09-11 15:24:06,901 [root] DEBUG: Allocation: 0x03BC0000 - 0x03BC1000, size: 0x1000, protection: 0x40.
2019-09-11 15:24:06,901 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x00261000
2019-09-11 15:24:06,901 [root] DEBUG: AddTrackedRegion: Region at 0x03BC0000 size 0x1000 added to tracked regions.
2019-09-11 15:24:06,901 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2380.
2019-09-11 15:24:06,901 [root] DEBUG: DLL unloaded from 0x772F0000.
2019-09-11 15:24:06,901 [root] DEBUG: Allocation: 0x003B2000 - 0x003B3000, size: 0x1000, protection: 0x40.
2019-09-11 15:24:06,901 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x00261000
2019-09-11 15:24:06,901 [root] DEBUG: AddTrackedRegion: Region at 0x003B0000 size 0x3000 added to tracked regions.
2019-09-11 15:24:06,901 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2704.
2019-09-11 15:24:06,917 [root] DEBUG: DLL loaded at 0x729C0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\045c9588954c3662d542b53f4462268b\mscorlib.ni (0x102e000 bytes).
2019-09-11 15:24:06,947 [root] DEBUG: Allocation: 0x003E5000 - 0x003E6000, size: 0x1000, protection: 0x40.
2019-09-11 15:24:06,947 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x00261000
2019-09-11 15:24:06,947 [root] DEBUG: AddTrackedRegion: Region at 0x003E0000 size 0x6000 added to tracked regions.
2019-09-11 15:24:06,947 [root] DEBUG: Allocation: 0x003EB000 - 0x003EC000, size: 0x1000, protection: 0x40.
2019-09-11 15:24:06,947 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x00261000
2019-09-11 15:24:06,947 [root] DEBUG: AddTrackedRegion: Region at 0x003E0000 size 0xc000 added to tracked regions.
2019-09-11 15:24:06,947 [root] DEBUG: Allocation: 0x003E7000 - 0x003E8000, size: 0x1000, protection: 0x40.
2019-09-11 15:24:06,947 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x00261000
2019-09-11 15:24:06,947 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x003E0000, size: 0xc000.
2019-09-11 15:24:06,947 [root] DEBUG: Allocation: 0x003CC000 - 0x003CD000, size: 0x1000, protection: 0x40.
2019-09-11 15:24:06,947 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x00261000
2019-09-11 15:24:06,963 [root] DEBUG: AddTrackedRegion: Region at 0x003C0000 size 0xd000 added to tracked regions.
2019-09-11 15:24:06,963 [root] DEBUG: DLL loaded at 0x747F0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x7d000 bytes).
2019-09-11 15:24:06,963 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-09-11 15:24:06,963 [root] DEBUG: Allocation: 0x00480000 - 0x00481000, size: 0x1000, protection: 0x40.
2019-09-11 15:24:06,963 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x00261000
2019-09-11 15:24:06,963 [root] DEBUG: AddTrackedRegion: Region at 0x00480000 size 0x1000 added to tracked regions.
2019-09-11 15:24:06,963 [root] DEBUG: set_caller_info: Adding region at 0x00480000 to caller regions list.
2019-09-11 15:24:06,963 [root] DEBUG: DumpPEsInRange: Scanning range 0x00480000 - 0x00481000.
2019-09-11 15:24:06,963 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x480000-0x481000.
2019-09-11 15:24:06,963 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00480000 - 0x00481000.
2019-09-11 15:24:06,963 [root] DEBUG: DumpPEsInRange: Scanning range 0x00480000 - 0x00481000.
2019-09-11 15:24:06,963 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x480000-0x481000.
2019-09-11 15:24:06,963 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00480000 - 0x00481000.
2019-09-11 15:24:06,963 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_1049880522642211392019 successfully created, size 0x10000
2019-09-11 15:24:06,963 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x3ff9e in capemon caught accessing 0x481000 (expected in memory scans), passing to next handler.
2019-09-11 15:24:06,963 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x480000
2019-09-11 15:24:06,963 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00480000 size 0x10000.
2019-09-11 15:24:06,963 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_19399416242642211392019 successfully created, size 0x1000
2019-09-11 15:24:06,979 [root] INFO: Added new CAPE file to list with path: C:\AhuoFy\CAPE\1308_19399416242642211392019
2019-09-11 15:24:06,979 [root] DEBUG: DumpRegion: Dumped base address 0x00480000, size 0x1000.
2019-09-11 15:24:06,979 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00480000.
2019-09-11 15:24:06,979 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x480000 - 0x481000.
2019-09-11 15:24:06,979 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_20309152122642211392019 successfully created, size 0x10000
2019-09-11 15:24:06,979 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x3ff9e in capemon caught accessing 0x481000 (expected in memory scans), passing to next handler.
2019-09-11 15:24:06,994 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x480000
2019-09-11 15:24:06,994 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00480000 size 0x10000.
2019-09-11 15:24:06,994 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_15872630272642211392019 successfully created, size 0x1000
2019-09-11 15:24:06,994 [root] INFO: Added new CAPE file to list with path: C:\AhuoFy\CAPE\1308_15872630272642211392019
2019-09-11 15:24:06,994 [root] DEBUG: DumpRegion: Dumped base address 0x00480000, size 0x1000.
2019-09-11 15:24:06,994 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00480000.
2019-09-11 15:24:06,994 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x480000 - 0x481000.
2019-09-11 15:24:07,009 [root] DEBUG: Allocation: 0x003BC000 - 0x003BD000, size: 0x1000, protection: 0x40.
2019-09-11 15:24:07,009 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x00261000
2019-09-11 15:24:07,009 [root] DEBUG: AddTrackedRegion: Region at 0x003B0000 size 0xd000 added to tracked regions.
2019-09-11 15:24:07,009 [root] DEBUG: DLL loaded at 0x72020000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\79f6324a598a7c4446a4a1168be7c4b1\System.ni (0x99a000 bytes).
2019-09-11 15:24:07,026 [root] DEBUG: DLL loaded at 0x71970000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\4e69f1e7d86d79012db2d7e0dadc8880\System.Core.ni (0x6ae000 bytes).
2019-09-11 15:24:07,026 [root] DEBUG: Allocation: 0x003D6000 - 0x003D7000, size: 0x1000, protection: 0x40.
2019-09-11 15:24:07,026 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x00261000
2019-09-11 15:24:07,026 [root] DEBUG: AddTrackedRegion: Region at 0x003D0000 size 0x7000 added to tracked regions.
2019-09-11 15:24:07,026 [root] DEBUG: Allocation: 0x003DA000 - 0x003DB000, size: 0x1000, protection: 0x40.
2019-09-11 15:24:07,026 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x00261000
2019-09-11 15:24:07,026 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 11.
2019-09-11 15:24:07,026 [root] DEBUG: AddTrackedRegion: Region at 0x003D0000 size 0xb000 added to tracked regions.
2019-09-11 15:24:07,026 [root] DEBUG: Allocation: 0x003D7000 - 0x003D8000, size: 0x1000, protection: 0x40.
2019-09-11 15:24:07,026 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x00261000
2019-09-11 15:24:07,026 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x003D0000, size: 0xb000.
2019-09-11 15:24:07,072 [root] DEBUG: CreateThread: Initialising breakpoints for thread 804.
2019-09-11 15:24:07,072 [root] DEBUG: Allocation: 0x003BA000 - 0x003BB000, size: 0x1000, protection: 0x40.
2019-09-11 15:24:07,072 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x00261000
2019-09-11 15:24:07,072 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x003B0000, size: 0xd000.
2019-09-11 15:24:07,072 [root] DEBUG: Allocation: 0x00481000 - 0x00482000, size: 0x1000, protection: 0x40.
2019-09-11 15:24:07,072 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x00261000
2019-09-11 15:24:07,072 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 12.
2019-09-11 15:24:07,072 [root] DEBUG: AddTrackedRegion: Region at 0x00480000 size 0x2000 added to tracked regions.
2019-09-11 15:24:07,072 [root] DEBUG: Allocation: 0x00482000 - 0x00485000, size: 0x3000, protection: 0x40.
2019-09-11 15:24:07,072 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x00261000
2019-09-11 15:24:07,088 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 13.
2019-09-11 15:24:07,088 [root] DEBUG: AddTrackedRegion: Region at 0x00480000 size 0x5000 added to tracked regions.
2019-09-11 15:24:07,088 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x00480000, TrackedRegion->RegionSize: 0x5000, thread 804
2019-09-11 15:24:07,088 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0x244, Size=0x2, Address=0x00482000 and Type=0x1.
2019-09-11 15:24:07,088 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 804 type 1 at address 0x00482000, size 2 with Callback 0x74487630.
2019-09-11 15:24:07,088 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x00482000
2019-09-11 15:24:07,088 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0x244, Size=0x4, Address=0x0048003C and Type=0x1.
2019-09-11 15:24:07,088 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 804 type 1 at address 0x0048003C, size 4 with Callback 0x74487250.
2019-09-11 15:24:07,088 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x0048003C
2019-09-11 15:24:07,088 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x00482000 (size 0x3000).
2019-09-11 15:24:07,088 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x748067D8 (thread 804)
2019-09-11 15:24:07,088 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x00482000.
2019-09-11 15:24:07,088 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x00482000 and Type=0x0.
2019-09-11 15:24:07,088 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x482000: 0xf.
2019-09-11 15:24:07,088 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2019-09-11 15:24:07,088 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x748067E5 (thread 804)
2019-09-11 15:24:07,088 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x00482000.
2019-09-11 15:24:07,088 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x00482000 already exists for thread 804 (process 1308), skipping.
2019-09-11 15:24:07,088 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x482000: 0xf.
2019-09-11 15:24:07,088 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2019-09-11 15:24:07,088 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00482000 (thread 804)
2019-09-11 15:24:07,088 [root] DEBUG: ShellcodeExecCallback: Breakpoint 2 at Address 0x00482000 (allocation base 0x00480000).
2019-09-11 15:24:07,088 [root] DEBUG: ShellcodeExecCallback: Debug: About to scan region for a PE image (base 0x00480000, size 0x5000).
2019-09-11 15:24:07,088 [root] DEBUG: DumpPEsInRange: Scanning range 0x00480000 - 0x00485000.
2019-09-11 15:24:07,088 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x480000-0x485000.
2019-09-11 15:24:07,088 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_14465526482742211392019 successfully created, size 0x5000
2019-09-11 15:24:07,104 [root] INFO: Added new CAPE file to list with path: C:\AhuoFy\CAPE\1308_14465526482742211392019
2019-09-11 15:24:07,104 [root] DEBUG: ShellcodeExecCallback: successfully dumped memory range at 0x00480000 (size 0x5000).
2019-09-11 15:24:07,104 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x480000 - 0x485000.
2019-09-11 15:24:07,104 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x00482000.
2019-09-11 15:24:07,104 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x0048003C.
2019-09-11 15:24:07,104 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x00482000.
2019-09-11 15:24:07,119 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2792.
2019-09-11 15:24:07,119 [root] DEBUG: Allocation: 0x00485000 - 0x00486000, size: 0x1000, protection: 0x40.
2019-09-11 15:24:07,119 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x00261000
2019-09-11 15:24:07,119 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 14.
2019-09-11 15:24:07,119 [root] DEBUG: AddTrackedRegion: Region at 0x00480000 size 0x6000 added to tracked regions.
2019-09-11 15:24:07,119 [root] DEBUG: Allocation: 0x00486000 - 0x00487000, size: 0x1000, protection: 0x40.
2019-09-11 15:24:07,119 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x00261000
2019-09-11 15:24:07,119 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 15.
2019-09-11 15:24:07,119 [root] DEBUG: AddTrackedRegion: Region at 0x00480000 size 0x7000 added to tracked regions.
2019-09-11 15:24:07,134 [root] DEBUG: Allocation: 0x00487000 - 0x00488000, size: 0x1000, protection: 0x40.
2019-09-11 15:24:07,134 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x00261000
2019-09-11 15:24:07,134 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 16.
2019-09-11 15:24:07,134 [root] DEBUG: AddTrackedRegion: Region at 0x00480000 size 0x8000 added to tracked regions.
2019-09-11 15:24:07,213 [root] DEBUG: Allocation: 0x00488000 - 0x00489000, size: 0x1000, protection: 0x40.
2019-09-11 15:24:07,213 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x00261000
2019-09-11 15:24:07,213 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 17.
2019-09-11 15:24:07,213 [root] DEBUG: AddTrackedRegion: Region at 0x00480000 size 0x9000 added to tracked regions.
2019-09-11 15:24:07,229 [root] DEBUG: Allocation: 0x00489000 - 0x0048A000, size: 0x1000, protection: 0x40.
2019-09-11 15:24:07,229 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x00261000
2019-09-11 15:24:07,229 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 18.
2019-09-11 15:24:07,229 [root] DEBUG: AddTrackedRegion: Region at 0x00480000 size 0xa000 added to tracked regions.
2019-09-11 15:24:07,259 [root] DEBUG: Allocation: 0x0048A000 - 0x0048B000, size: 0x1000, protection: 0x40.
2019-09-11 15:24:07,259 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x00261000
2019-09-11 15:24:07,259 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 19.
2019-09-11 15:24:07,259 [root] DEBUG: AddTrackedRegion: Region at 0x00480000 size 0xb000 added to tracked regions.
2019-09-11 15:24:07,259 [root] DEBUG: Allocation: 0x0048B000 - 0x0048C000, size: 0x1000, protection: 0x40.
2019-09-11 15:24:07,259 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x00261000
2019-09-11 15:24:07,259 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 20.
2019-09-11 15:24:07,259 [root] DEBUG: AddTrackedRegion: Region at 0x00480000 size 0xc000 added to tracked regions.
2019-09-11 15:24:07,259 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\shell32 (0xc4a000 bytes).
2019-09-11 15:24:07,276 [root] DEBUG: Allocation: 0x0048C000 - 0x0048D000, size: 0x1000, protection: 0x40.
2019-09-11 15:24:07,276 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x00261000
2019-09-11 15:24:07,276 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 21.
2019-09-11 15:24:07,276 [root] DEBUG: AddTrackedRegion: Region at 0x00480000 size 0xd000 added to tracked regions.
2019-09-11 15:24:07,290 [root] DEBUG: Allocation: 0x00580000 - 0x00583000, size: 0x3000, protection: 0x40.
2019-09-11 15:24:07,290 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x00261000
2019-09-11 15:24:07,290 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 22.
2019-09-11 15:24:07,290 [root] DEBUG: AddTrackedRegion: Region at 0x00580000 size 0x3000 added to tracked regions.
2019-09-11 15:24:07,290 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x00580000, TrackedRegion->RegionSize: 0x3000, thread 804
2019-09-11 15:24:07,290 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x00480000 to 0x00580000.
2019-09-11 15:24:07,290 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0x244, Size=0x2, Address=0x00580000 and Type=0x1.
2019-09-11 15:24:07,290 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 804 type 1 at address 0x00580000, size 2 with Callback 0x74487630.
2019-09-11 15:24:07,290 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x00580000
2019-09-11 15:24:07,290 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0x244, Size=0x4, Address=0x0058003C and Type=0x1.
2019-09-11 15:24:07,290 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 804 type 1 at address 0x0058003C, size 4 with Callback 0x74487250.
2019-09-11 15:24:07,290 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x0058003C
2019-09-11 15:24:07,290 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x00580000 (size 0x3000).
2019-09-11 15:24:07,290 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x73D0137A (thread 804)
2019-09-11 15:24:07,290 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x00580000.
2019-09-11 15:24:07,290 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x00580000 and Type=0x0.
2019-09-11 15:24:07,290 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x580000: 0xe9.
2019-09-11 15:24:07,290 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2019-09-11 15:24:07,290 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x73D0137A (thread 804)
2019-09-11 15:24:07,290 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x00580000.
2019-09-11 15:24:07,290 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (2) at 0x00580000 already exists for thread 804 (process 1308), skipping.
2019-09-11 15:24:07,290 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x580000: 0xe9.
2019-09-11 15:24:07,290 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2019-09-11 15:24:07,290 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x73D0137A (thread 804)
2019-09-11 15:24:07,290 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x0058003C.
2019-09-11 15:24:07,290 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 1 within Context, Size=0x2, Address=0x0058010B and Type=0x1.
2019-09-11 15:24:07,290 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 3 within Context, Size=0x4, Address=0x0058011B and Type=0x1.
2019-09-11 15:24:07,290 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x0058011B.
2019-09-11 15:24:07,290 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x73D0137A (thread 804)
2019-09-11 15:24:07,290 [root] DEBUG: AddressOfEPWriteCallback: pointer to PE header too big: 0x4D8957F3.
2019-09-11 15:24:07,306 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00580000 (thread 804)
2019-09-11 15:24:07,306 [root] DEBUG: ShellcodeExecCallback: Breakpoint 2 at Address 0x00580000 (allocation base 0x00580000).
2019-09-11 15:24:07,306 [root] DEBUG: ShellcodeExecCallback: Debug: About to scan region for a PE image (base 0x00580000, size 0x3000).
2019-09-11 15:24:07,306 [root] DEBUG: DumpPEsInRange: Scanning range 0x00580000 - 0x00583000.
2019-09-11 15:24:07,306 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x580000-0x583000.
2019-09-11 15:24:07,306 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_3931646942742211392019 successfully created, size 0x3000
2019-09-11 15:24:07,306 [root] INFO: Added new CAPE file to list with path: C:\AhuoFy\CAPE\1308_3931646942742211392019
2019-09-11 15:24:07,306 [root] DEBUG: ShellcodeExecCallback: successfully dumped memory range at 0x00580000 (size 0x3000).
2019-09-11 15:24:07,306 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x580000 - 0x583000.
2019-09-11 15:24:07,306 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x00580000.
2019-09-11 15:24:07,306 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x0058010B.
2019-09-11 15:24:07,306 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x00580000.
2019-09-11 15:24:07,306 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 3 address 0x0058011B.
2019-09-11 15:24:07,306 [root] DEBUG: set_caller_info: Adding region at 0x00580000 to caller regions list.
2019-09-11 15:24:07,322 [root] INFO: Sample attempted to remap module 'C:\Windows\SysWOW64\ntdll.dll' at 0x064F0000, returning original module address instead: 0x772F0000
2019-09-11 15:24:07,322 [root] DEBUG: set_caller_info: Adding region at 0x064F0000 to caller regions list.
2019-09-11 15:24:07,322 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x3ff9e in capemon caught accessing 0xffa14184 (expected in memory scans), passing to next handler.
2019-09-11 15:24:07,338 [root] DEBUG: DLL loaded at 0x747E0000: C:\Windows\system32\VERSION (0x9000 bytes).
2019-09-11 15:24:07,338 [root] DEBUG: DLL unloaded from 0x00260000.
2019-09-11 15:24:07,415 [root] DEBUG: DLL loaded at 0x73C20000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader (0xd4000 bytes).
2019-09-11 15:24:10,115 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-09-11 15:24:11,581 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1308).
2019-09-11 15:24:11,581 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x1854 in capemon caught accessing 0x261000 (expected in memory scans), passing to next handler.
2019-09-11 15:24:11,581 [root] DEBUG: GetEntropy: Exception occured attempting to get PE entropy at 0x00261000
2019-09-11 15:24:11,581 [root] DEBUG: DumpPEsInRange: Scanning range 0x00440000 - 0x00441000.
2019-09-11 15:24:11,581 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x440000-0x441000.
2019-09-11 15:24:11,581 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00440000 - 0x00441000.
2019-09-11 15:24:11,581 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_5863005833142211392019 successfully created, size 0x40000
2019-09-11 15:24:11,581 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x3ff9e in capemon caught accessing 0x441000 (expected in memory scans), passing to next handler.
2019-09-11 15:24:11,596 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x440000
2019-09-11 15:24:11,596 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00440000 size 0x40000.
2019-09-11 15:24:11,596 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_3645756963142211392019 successfully created, size 0x1000
2019-09-11 15:24:11,596 [root] INFO: Added new CAPE file to list with path: C:\AhuoFy\CAPE\1308_3645756963142211392019
2019-09-11 15:24:11,596 [root] DEBUG: DumpRegion: Dumped base address 0x00440000, size 0x1000.
2019-09-11 15:24:11,596 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00440000.
2019-09-11 15:24:11,596 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x440000 - 0x441000.
2019-09-11 15:24:11,596 [root] DEBUG: DumpPEsInRange: Scanning range 0x03BC0000 - 0x03BC1000.
2019-09-11 15:24:11,596 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3bc0000-0x3bc1000.
2019-09-11 15:24:11,596 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x03BC0000 - 0x03BC1000.
2019-09-11 15:24:11,596 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_3371301783142211392019 successfully created, size 0x40000
2019-09-11 15:24:11,596 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x3ff9e in capemon caught accessing 0x3bc1000 (expected in memory scans), passing to next handler.
2019-09-11 15:24:11,596 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x3bc0000
2019-09-11 15:24:11,596 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x03BC0000 size 0x40000.
2019-09-11 15:24:11,596 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_15479945553142211392019 successfully created, size 0x1000
2019-09-11 15:24:11,596 [root] INFO: Added new CAPE file to list with path: C:\AhuoFy\CAPE\1308_15479945553142211392019
2019-09-11 15:24:11,611 [root] DEBUG: DumpRegion: Dumped base address 0x03BC0000, size 0x1000.
2019-09-11 15:24:11,611 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x03BC0000.
2019-09-11 15:24:11,611 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3bc0000 - 0x3bc1000.
2019-09-11 15:24:11,611 [root] DEBUG: DumpPEsInRange: Scanning range 0x003B0000 - 0x003B3000.
2019-09-11 15:24:11,628 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x1d1a in capemon caught accessing 0x3b1000 (expected in memory scans), passing to next handler.
2019-09-11 15:24:11,628 [root] DEBUG: ScanForDisguisedPE: Exception occured scanning buffer at 0x3b0fc1
2019-09-11 15:24:11,628 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x003B0000 - 0x003B3000.
2019-09-11 15:24:11,628 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_1034795963142211392019 successfully created, size 0x10000
2019-09-11 15:24:11,628 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x3ff9e in capemon caught accessing 0x3b1000 (expected in memory scans), passing to next handler.
2019-09-11 15:24:11,628 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x3b0000
2019-09-11 15:24:11,628 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x003B0000 size 0x10000.
2019-09-11 15:24:11,628 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_18118327203142211392019 successfully created, size 0x1000
2019-09-11 15:24:11,628 [root] INFO: Added new CAPE file to list with path: C:\AhuoFy\CAPE\1308_18118327203142211392019
2019-09-11 15:24:11,628 [root] DEBUG: DumpRegion: Dumped base address 0x003B0000, size 0x1000.
2019-09-11 15:24:11,628 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x003B0000.
2019-09-11 15:24:11,628 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3b0000 - 0x3b3000.
2019-09-11 15:24:11,644 [root] DEBUG: DumpPEsInRange: Scanning range 0x003E0000 - 0x003E6000.
2019-09-11 15:24:11,644 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x1d1a in capemon caught accessing 0x3e1000 (expected in memory scans), passing to next handler.
2019-09-11 15:24:11,644 [root] DEBUG: ScanForDisguisedPE: Exception occured scanning buffer at 0x3e0fc1
2019-09-11 15:24:11,644 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x003E0000 - 0x003E6000.
2019-09-11 15:24:11,644 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_13444037603142211392019 successfully created, size 0x10000
2019-09-11 15:24:11,644 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x3ff9e in capemon caught accessing 0x3e1000 (expected in memory scans), passing to next handler.
2019-09-11 15:24:11,644 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x3e0000
2019-09-11 15:24:11,644 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x003E0000 size 0x10000.
2019-09-11 15:24:11,644 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_12390344643142211392019 successfully created, size 0x1000
2019-09-11 15:24:11,644 [root] INFO: Added new CAPE file to list with path: C:\AhuoFy\CAPE\1308_12390344643142211392019
2019-09-11 15:24:11,644 [root] DEBUG: DumpRegion: Dumped base address 0x003E0000, size 0x1000.
2019-09-11 15:24:11,644 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x003E0000.
2019-09-11 15:24:11,644 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3e0000 - 0x3e6000.
2019-09-11 15:24:11,644 [root] DEBUG: DumpPEsInRange: Scanning range 0x003E0000 - 0x003EC000.
2019-09-11 15:24:11,644 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x1d1a in capemon caught accessing 0x3e1000 (expected in memory scans), passing to next handler.
2019-09-11 15:24:11,644 [root] DEBUG: ScanForDisguisedPE: Exception occured scanning buffer at 0x3e0fc1
2019-09-11 15:24:11,644 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x003E0000 - 0x003EC000.
2019-09-11 15:24:11,658 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_12495852363142211392019 successfully created, size 0x10000
2019-09-11 15:24:11,658 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x3ff9e in capemon caught accessing 0x3e1000 (expected in memory scans), passing to next handler.
2019-09-11 15:24:11,658 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x3e0000
2019-09-11 15:24:11,658 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x003E0000 size 0x10000.
2019-09-11 15:24:11,658 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_13262431813142211392019 successfully created, size 0x1000
2019-09-11 15:24:11,658 [root] INFO: Added new CAPE file to list with path: C:\AhuoFy\CAPE\1308_13262431813142211392019
2019-09-11 15:24:11,658 [root] DEBUG: DumpRegion: Dumped base address 0x003E0000, size 0x1000.
2019-09-11 15:24:11,658 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x003E0000.
2019-09-11 15:24:11,658 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3e0000 - 0x3ec000.
2019-09-11 15:24:11,658 [root] DEBUG: DumpPEsInRange: Scanning range 0x003C0000 - 0x003CD000.
2019-09-11 15:24:11,658 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x1d1a in capemon caught accessing 0x3c1000 (expected in memory scans), passing to next handler.
2019-09-11 15:24:11,658 [root] DEBUG: ScanForDisguisedPE: Exception occured scanning buffer at 0x3c0fc1
2019-09-11 15:24:11,658 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x003C0000 - 0x003CD000.
2019-09-11 15:24:11,658 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_12091528873142211392019 successfully created, size 0x10000
2019-09-11 15:24:11,658 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x3ff9e in capemon caught accessing 0x3c1000 (expected in memory scans), passing to next handler.
2019-09-11 15:24:11,658 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x3c0000
2019-09-11 15:24:11,658 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x003C0000 size 0x10000.
2019-09-11 15:24:11,658 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_13162455253142211392019 successfully created, size 0x1000
2019-09-11 15:24:11,674 [root] INFO: Added new CAPE file to list with path: C:\AhuoFy\CAPE\1308_13162455253142211392019
2019-09-11 15:24:11,674 [root] DEBUG: DumpRegion: Dumped base address 0x003C0000, size 0x1000.
2019-09-11 15:24:11,674 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x003C0000.
2019-09-11 15:24:11,674 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3c0000 - 0x3cd000.
2019-09-11 15:24:11,674 [root] DEBUG: DumpPEsInRange: Scanning range 0x003B0000 - 0x003BD000.
2019-09-11 15:24:11,674 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x1d1a in capemon caught accessing 0x3b1000 (expected in memory scans), passing to next handler.
2019-09-11 15:24:11,674 [root] DEBUG: ScanForDisguisedPE: Exception occured scanning buffer at 0x3b0fc1
2019-09-11 15:24:11,674 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x003B0000 - 0x003BD000.
2019-09-11 15:24:11,674 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_10538513053142211392019 successfully created, size 0x10000
2019-09-11 15:24:11,674 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x3ff9e in capemon caught accessing 0x3b1000 (expected in memory scans), passing to next handler.
2019-09-11 15:24:11,674 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x3b0000
2019-09-11 15:24:11,674 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x003B0000 size 0x10000.
2019-09-11 15:24:11,674 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_14551074363142211392019 successfully created, size 0x1000
2019-09-11 15:24:11,706 [root] INFO: Added new CAPE file to list with path: C:\AhuoFy\CAPE\1308_14551074363142211392019
2019-09-11 15:24:11,706 [root] DEBUG: DumpRegion: Dumped base address 0x003B0000, size 0x1000.
2019-09-11 15:24:11,706 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x003B0000.
2019-09-11 15:24:11,706 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3b0000 - 0x3bd000.
2019-09-11 15:24:11,706 [root] DEBUG: DumpPEsInRange: Scanning range 0x003D0000 - 0x003D7000.
2019-09-11 15:24:11,706 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x1d1a in capemon caught accessing 0x3d1000 (expected in memory scans), passing to next handler.
2019-09-11 15:24:11,706 [root] DEBUG: ScanForDisguisedPE: Exception occured scanning buffer at 0x3d0fc1
2019-09-11 15:24:11,706 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x003D0000 - 0x003D7000.
2019-09-11 15:24:11,706 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_5944666743142211392019 successfully created, size 0x10000
2019-09-11 15:24:11,706 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x3ff9e in capemon caught accessing 0x3d1000 (expected in memory scans), passing to next handler.
2019-09-11 15:24:11,706 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x3d0000
2019-09-11 15:24:11,706 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x003D0000 size 0x10000.
2019-09-11 15:24:11,706 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_1344512323142211392019 successfully created, size 0x1000
2019-09-11 15:24:11,721 [root] INFO: Added new CAPE file to list with path: C:\AhuoFy\CAPE\1308_1344512323142211392019
2019-09-11 15:24:11,721 [root] DEBUG: DumpRegion: Dumped base address 0x003D0000, size 0x1000.
2019-09-11 15:24:11,721 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x003D0000.
2019-09-11 15:24:11,721 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3d0000 - 0x3d7000.
2019-09-11 15:24:11,721 [root] DEBUG: DumpPEsInRange: Scanning range 0x003D0000 - 0x003DB000.
2019-09-11 15:24:11,721 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x1d1a in capemon caught accessing 0x3d1000 (expected in memory scans), passing to next handler.
2019-09-11 15:24:11,721 [root] DEBUG: ScanForDisguisedPE: Exception occured scanning buffer at 0x3d0fc1
2019-09-11 15:24:11,721 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x003D0000 - 0x003DB000.
2019-09-11 15:24:11,721 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_15034894963142211392019 successfully created, size 0x10000
2019-09-11 15:24:11,736 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x3ff9e in capemon caught accessing 0x3d1000 (expected in memory scans), passing to next handler.
2019-09-11 15:24:11,736 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x3d0000
2019-09-11 15:24:11,736 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x003D0000 size 0x10000.
2019-09-11 15:24:11,736 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_685116253142211392019 successfully created, size 0x1000
2019-09-11 15:24:11,736 [root] INFO: Added new CAPE file to list with path: C:\AhuoFy\CAPE\1308_685116253142211392019
2019-09-11 15:24:11,736 [root] DEBUG: DumpRegion: Dumped base address 0x003D0000, size 0x1000.
2019-09-11 15:24:11,736 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x003D0000.
2019-09-11 15:24:11,736 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3d0000 - 0x3db000.
2019-09-11 15:24:11,736 [root] DEBUG: DumpPEsInRange: Scanning range 0x00480000 - 0x00482000.
2019-09-11 15:24:11,736 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x480000-0x482000.
2019-09-11 15:24:11,736 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00480000 - 0x00482000.
2019-09-11 15:24:11,736 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_12567599143142211392019 successfully created, size 0x10000
2019-09-11 15:24:11,736 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x3ff9e in capemon caught accessing 0x48d000 (expected in memory scans), passing to next handler.
2019-09-11 15:24:11,736 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x480000
2019-09-11 15:24:11,736 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00480000 size 0x10000.
2019-09-11 15:24:11,736 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_15315109803142211392019 successfully created, size 0xd000
2019-09-11 15:24:11,736 [root] INFO: Added new CAPE file to list with path: C:\AhuoFy\CAPE\1308_15315109803142211392019
2019-09-11 15:24:11,736 [root] DEBUG: DumpRegion: Dumped base address 0x00480000, size 0xd000.
2019-09-11 15:24:11,736 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00480000.
2019-09-11 15:24:11,736 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x480000 - 0x482000.
2019-09-11 15:24:11,736 [root] DEBUG: DumpPEsInRange: Scanning range 0x00480000 - 0x00486000.
2019-09-11 15:24:11,736 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x480000-0x486000.
2019-09-11 15:24:11,753 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00480000 - 0x00486000.
2019-09-11 15:24:11,753 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_1936996723142211392019 successfully created, size 0x10000
2019-09-11 15:24:11,753 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x3ff9e in capemon caught accessing 0x48d000 (expected in memory scans), passing to next handler.
2019-09-11 15:24:11,753 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x480000
2019-09-11 15:24:11,753 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00480000 size 0x10000.
2019-09-11 15:24:11,753 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_9622718303142211392019 successfully created, size 0xd000
2019-09-11 15:24:11,767 [root] INFO: Added new CAPE file to list with path: C:\AhuoFy\CAPE\1308_9622718303142211392019
2019-09-11 15:24:11,783 [root] DEBUG: DumpRegion: Dumped base address 0x00480000, size 0xd000.
2019-09-11 15:24:11,783 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00480000.
2019-09-11 15:24:11,783 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x480000 - 0x486000.
2019-09-11 15:24:11,783 [root] DEBUG: DumpPEsInRange: Scanning range 0x00480000 - 0x00487000.
2019-09-11 15:24:11,783 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x480000-0x487000.
2019-09-11 15:24:11,783 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00480000 - 0x00487000.
2019-09-11 15:24:11,783 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_13576286563142211392019 successfully created, size 0x10000
2019-09-11 15:24:11,783 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x3ff9e in capemon caught accessing 0x48d000 (expected in memory scans), passing to next handler.
2019-09-11 15:24:11,783 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x480000
2019-09-11 15:24:11,783 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00480000 size 0x10000.
2019-09-11 15:24:11,783 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_18308068163142211392019 successfully created, size 0xd000
2019-09-11 15:24:11,783 [root] INFO: Added new CAPE file to list with path: C:\AhuoFy\CAPE\1308_18308068163142211392019
2019-09-11 15:24:11,783 [root] DEBUG: DumpRegion: Dumped base address 0x00480000, size 0xd000.
2019-09-11 15:24:11,783 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00480000.
2019-09-11 15:24:11,783 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x480000 - 0x487000.
2019-09-11 15:24:11,783 [root] DEBUG: DumpPEsInRange: Scanning range 0x00480000 - 0x00488000.
2019-09-11 15:24:11,783 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x480000-0x488000.
2019-09-11 15:24:11,783 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00480000 - 0x00488000.
2019-09-11 15:24:11,831 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_127150723142211392019 successfully created, size 0x10000
2019-09-11 15:24:11,831 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x3ff9e in capemon caught accessing 0x48d000 (expected in memory scans), passing to next handler.
2019-09-11 15:24:11,831 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x480000
2019-09-11 15:24:11,831 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00480000 size 0x10000.
2019-09-11 15:24:11,831 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_4144015203142211392019 successfully created, size 0xd000
2019-09-11 15:24:11,861 [root] INFO: Added new CAPE file to list with path: C:\AhuoFy\CAPE\1308_4144015203142211392019
2019-09-11 15:24:11,861 [root] DEBUG: DumpRegion: Dumped base address 0x00480000, size 0xd000.
2019-09-11 15:24:11,861 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00480000.
2019-09-11 15:24:11,861 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x480000 - 0x488000.
2019-09-11 15:24:11,861 [root] DEBUG: DumpPEsInRange: Scanning range 0x00480000 - 0x00489000.
2019-09-11 15:24:11,861 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x480000-0x489000.
2019-09-11 15:24:11,861 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00480000 - 0x00489000.
2019-09-11 15:24:11,861 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_15634628023142211392019 successfully created, size 0x10000
2019-09-11 15:24:11,861 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x3ff9e in capemon caught accessing 0x48d000 (expected in memory scans), passing to next handler.
2019-09-11 15:24:11,861 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x480000
2019-09-11 15:24:11,861 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00480000 size 0x10000.
2019-09-11 15:24:11,861 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_3175177263142211392019 successfully created, size 0xd000
2019-09-11 15:24:11,878 [root] INFO: Added new CAPE file to list with path: C:\AhuoFy\CAPE\1308_3175177263142211392019
2019-09-11 15:24:11,878 [root] DEBUG: DumpRegion: Dumped base address 0x00480000, size 0xd000.
2019-09-11 15:24:11,878 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00480000.
2019-09-11 15:24:11,878 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x480000 - 0x489000.
2019-09-11 15:24:11,878 [root] DEBUG: DumpPEsInRange: Scanning range 0x00480000 - 0x0048A000.
2019-09-11 15:24:11,878 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x480000-0x48a000.
2019-09-11 15:24:11,878 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00480000 - 0x0048A000.
2019-09-11 15:24:11,878 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_5012785023142211392019 successfully created, size 0x10000
2019-09-11 15:24:11,892 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x3ff9e in capemon caught accessing 0x48d000 (expected in memory scans), passing to next handler.
2019-09-11 15:24:11,892 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x480000
2019-09-11 15:24:11,892 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00480000 size 0x10000.
2019-09-11 15:24:11,892 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_4082676053142211392019 successfully created, size 0xd000
2019-09-11 15:24:11,892 [root] INFO: Added new CAPE file to list with path: C:\AhuoFy\CAPE\1308_4082676053142211392019
2019-09-11 15:24:11,892 [root] DEBUG: DumpRegion: Dumped base address 0x00480000, size 0xd000.
2019-09-11 15:24:11,892 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00480000.
2019-09-11 15:24:11,892 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x480000 - 0x48a000.
2019-09-11 15:24:11,892 [root] DEBUG: DumpPEsInRange: Scanning range 0x00480000 - 0x0048B000.
2019-09-11 15:24:11,892 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x480000-0x48b000.
2019-09-11 15:24:11,892 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00480000 - 0x0048B000.
2019-09-11 15:24:11,892 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_3466260253142211392019 successfully created, size 0x10000
2019-09-11 15:24:11,892 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x3ff9e in capemon caught accessing 0x48d000 (expected in memory scans), passing to next handler.
2019-09-11 15:24:11,892 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x480000
2019-09-11 15:24:11,892 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00480000 size 0x10000.
2019-09-11 15:24:11,892 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_15948836423142211392019 successfully created, size 0xd000
2019-09-11 15:24:11,908 [root] INFO: Added new CAPE file to list with path: C:\AhuoFy\CAPE\1308_15948836423142211392019
2019-09-11 15:24:11,908 [root] DEBUG: DumpRegion: Dumped base address 0x00480000, size 0xd000.
2019-09-11 15:24:11,908 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00480000.
2019-09-11 15:24:11,908 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x480000 - 0x48b000.
2019-09-11 15:24:11,908 [root] DEBUG: DumpPEsInRange: Scanning range 0x00480000 - 0x0048C000.
2019-09-11 15:24:11,908 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x480000-0x48c000.
2019-09-11 15:24:11,908 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00480000 - 0x0048C000.
2019-09-11 15:24:11,908 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_2325055923142211392019 successfully created, size 0x10000
2019-09-11 15:24:11,908 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x3ff9e in capemon caught accessing 0x48d000 (expected in memory scans), passing to next handler.
2019-09-11 15:24:11,908 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x480000
2019-09-11 15:24:11,908 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00480000 size 0x10000.
2019-09-11 15:24:11,908 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_4357058183142211392019 successfully created, size 0xd000
2019-09-11 15:24:11,924 [root] INFO: Added new CAPE file to list with path: C:\AhuoFy\CAPE\1308_4357058183142211392019
2019-09-11 15:24:11,924 [root] DEBUG: DumpRegion: Dumped base address 0x00480000, size 0xd000.
2019-09-11 15:24:11,924 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00480000.
2019-09-11 15:24:11,924 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x480000 - 0x48c000.
2019-09-11 15:24:11,924 [root] DEBUG: DumpPEsInRange: Scanning range 0x00480000 - 0x0048D000.
2019-09-11 15:24:11,924 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x480000-0x48d000.
2019-09-11 15:24:11,924 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00480000 - 0x0048D000.
2019-09-11 15:24:11,924 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_20434414963142211392019 successfully created, size 0x10000
2019-09-11 15:24:11,924 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x3ff9e in capemon caught accessing 0x48d000 (expected in memory scans), passing to next handler.
2019-09-11 15:24:11,924 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x480000
2019-09-11 15:24:11,924 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00480000 size 0x10000.
2019-09-11 15:24:11,924 [root] DEBUG: DumpMemory: CAPE output file C:\AhuoFy\CAPE\1308_9919910963142211392019 successfully created, size 0xd000
2019-09-11 15:24:11,940 [root] INFO: Added new CAPE file to list with path: C:\AhuoFy\CAPE\1308_9919910963142211392019
2019-09-11 15:24:11,940 [root] DEBUG: DumpRegion: Dumped base address 0x00480000, size 0xd000.
2019-09-11 15:24:11,940 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00480000.
2019-09-11 15:24:11,940 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x480000 - 0x48d000.
2019-09-11 15:24:11,940 [root] INFO: Notified of termination of process with pid 1308.
2019-09-11 15:24:12,002 [root] DEBUG: Terminate Event: Processing tracked regions before shutdown (process 1308).
2019-09-11 15:24:12,859 [root] INFO: Process with pid 1308 has terminated
2019-09-11 15:24:17,930 [root] INFO: Process list is empty, terminating analysis.
2019-09-11 15:24:18,944 [root] INFO: Created shutdown mutex.
2019-09-11 15:24:19,957 [root] INFO: Shutting down package.
2019-09-11 15:24:19,957 [root] INFO: Stopping auxiliary modules.
2019-09-11 15:24:19,957 [root] INFO: Finishing auxiliary modules.
2019-09-11 15:24:19,957 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-09-11 15:24:19,957 [root] WARNING: File at path "C:\AhuoFy\debugger" does not exist, skip.
2019-09-11 15:24:19,957 [root] INFO: Analysis completed.

MalScore

9.0

Malicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-09-11 14:24:01 2019-09-11 14:24:37

File Details

File Name NEW_ORDE.EXE
File Size 941568 bytes
File Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 6a518effda014f29780f6ba4185e0b5e
SHA1 dbfa7faeea38fb32739601750fd55b33f89ba350
SHA256 bd5ea6bf76dc29cb0f43fee9aa9470b8a7f7318844eb7203d5951fce1217a525
SHA512 b8e37270d9af256c2e1b72e3a2f6cd48c2f3865a22c46e9e8eec65575e04f33329d13f062268816946a8cb9c837b355b91b84228243dc7a22a624054a2ae157b
CRC32 F7CA3D49
Ssdeep 12288:jgbt8oR2a5+JM2jccgdJNi1lm3cNfZtpZRfLNuZgvwkgv0X1TCfFiVsIl/ONlhVn:jk2acMsgde1lm3cNlMZ+vo6qxL+YR
TrID
  • 62.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73294/58/13)
  • 23.4% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 3.8% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 1.7% (.EXE) OS/2 Executable (generic) (2029/13)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Behavioural detection: Executable code extraction
SetUnhandledExceptionFilter detected (possible anti-debug)
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 1308 trigged the Yara rule 'shellcode'
Possible date expiration check, exits too soon after checking local time
process: NEW_ORDE.EXE, PID 1308
Guard pages use detected - possible anti-debugging.
Dynamic (imported) function loading detected
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: clr.dll/SetRuntimeInfo
DynamicLoader: clr.dll/_CorExeMain
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: MSCOREE.DLL/CreateConfigStream
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: KERNEL32.dll/GetNumaHighestNodeNumber
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: MSCOREE.DLL/CLRCreateInstance
DynamicLoader: mscoreei.dll/CLRCreateInstance
DynamicLoader: SHLWAPI.dll/PathFindFileNameW
DynamicLoader: KERNEL32.dll/IsWow64Process
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/AddSIDToBoundaryDescriptor
DynamicLoader: KERNEL32.dll/CreateBoundaryDescriptorW
DynamicLoader: KERNEL32.dll/CreatePrivateNamespaceW
DynamicLoader: KERNEL32.dll/OpenPrivateNamespaceW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/DeleteBoundaryDescriptor
DynamicLoader: KERNEL32.dll/WerRegisterRuntimeExceptionModule
DynamicLoader: KERNEL32.dll/RaiseException
DynamicLoader: KERNEL32.dll/AddVectoredExceptionHandler
DynamicLoader: KERNEL32.dll/RemoveVectoredExceptionHandler
DynamicLoader: KERNEL32.dll/AddVectoredContinueHandler
DynamicLoader: KERNEL32.dll/RemoveVectoredContinueHandler
DynamicLoader: MSCOREE.DLL/
DynamicLoader: mscoreei.dll/
DynamicLoader: KERNELBASE.dll/SetSystemFileCacheSize
DynamicLoader: ntdll.dll/NtSetSystemInformation
DynamicLoader: KERNELBASE.dll/PrivIsDllSynchronizationHeld
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/GetWriteWatch
DynamicLoader: KERNEL32.dll/ResetWriteWatch
DynamicLoader: KERNEL32.dll/CreateMemoryResourceNotification
DynamicLoader: KERNEL32.dll/QueryMemoryResourceNotification
DynamicLoader: KERNEL32.dll/SortGetHandle
DynamicLoader: KERNEL32.dll/SortCloseHandle
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: clrjit.dll/sxsJitStartup
DynamicLoader: clrjit.dll/getJit
DynamicLoader: KERNEL32.dll/QueryThreadCycleTime
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/LocaleNameToLCID
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/LCIDToLocaleName
DynamicLoader: KERNEL32.dll/GetUserPreferredUILanguages
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: KERNEL32.dll/FindResource
DynamicLoader: KERNEL32.dll/FindResourceA
DynamicLoader: KERNEL32.dll/SizeofResource
DynamicLoader: KERNEL32.dll/LoadResource
DynamicLoader: KERNEL32.dll/LockResource
DynamicLoader: shell32.dll/SHGetFolderPath
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: KERNEL32.dll/SetThreadErrorMode
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: KERNEL32.dll/CopyFile
DynamicLoader: KERNEL32.dll/CopyFileW
DynamicLoader: KERNEL32.dll/DeleteFile
DynamicLoader: KERNEL32.dll/DeleteFileA
DynamicLoader: KERNEL32.dll/WideCharToMultiByte
DynamicLoader: KERNEL32.dll/VirtualAlloc
DynamicLoader: ADVAPI32.dll/CryptAcquireContextW
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDecrypt
DynamicLoader: ADVAPI32.dll/CryptDeriveKey
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: USER32.dll/MessageBoxA
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: diasymreader.dll/DllGetClassObject
CAPE extracted potentially suspicious content
NEW_ORDE.EXE: Extracted Shellcode
NEW_ORDE.EXE: Extracted Shellcode
NEW_ORDE.EXE: Extracted Shellcode
NEW_ORDE.EXE: Extracted Shellcode
NEW_ORDE.EXE: Extracted Shellcode
NEW_ORDE.EXE: Extracted Shellcode
NEW_ORDE.EXE: Extracted Shellcode
NEW_ORDE.EXE: Extracted Shellcode
NEW_ORDE.EXE: Extracted Shellcode
NEW_ORDE.EXE: Extracted Shellcode
Attempts to remove evidence of file being downloaded from the Internet
file: C:\Users\user\AppData\Roaming\filename.exe:Zone.Identifier
Creates a copy of itself
copy: C:\Users\user\AppData\Roaming\filename.exe

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\user\AppData\Local\Temp\NEW_ORDE.EXE.config
C:\Users\user\AppData\Local\Temp\NEW_ORDE.EXE
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSVCR110_CLR0400.dll
C:\Windows\System32\MSVCR110_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.localgac
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\045c9588954c3662d542b53f4462268b\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\045c9588954c3662d542b53f4462268b\mscorlib.ni.dll.aux
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ole32.dll
\Device\KsecDD
C:\Windows\assembly\NativeImages_v4.0.30319_32\jqItRhWhJxmstUgbma\*
C:\Users\user\AppData\Local\Temp\NEW_ORDE.INI
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol23.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\4e69f1e7d86d79012db2d7e0dadc8880\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\4e69f1e7d86d79012db2d7e0dadc8880\System.Core.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\79f6324a598a7c4446a4a1168be7c4b1\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\79f6324a598a7c4446a4a1168be7c4b1\System.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll
C:\Users\user\AppData\Local\Temp\int % SortedList<TKey><TValue>.TrimExcess.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\shell32.dll
C:\Users\user\AppData\Roaming\filename.exe
C:\Users\user\AppData\Roaming\filename.exe:Zone.Identifier
C:\Windows\Microsoft.NET\Framework\v4.0.30319\VERSION.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb
C:\Windows\symbols\dll\mscorlib.pdb
C:\Windows\dll\mscorlib.pdb
C:\Windows\mscorlib.pdb
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\user\AppData\Local\Temp\NEW_ORDE.EXE.config
C:\Users\user\AppData\Local\Temp\NEW_ORDE.EXE
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Windows\System32\MSVCR110_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\045c9588954c3662d542b53f4462268b\mscorlib.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\045c9588954c3662d542b53f4462268b\mscorlib.ni.dll
\Device\KsecDD
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol23.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\4e69f1e7d86d79012db2d7e0dadc8880\System.Core.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\79f6324a598a7c4446a4a1168be7c4b1\System.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\79f6324a598a7c4446a4a1168be7c4b1\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\4e69f1e7d86d79012db2d7e0dadc8880\System.Core.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb
C:\Windows\symbols\dll\mscorlib.pdb
C:\Windows\dll\mscorlib.pdb
C:\Windows\mscorlib.pdb
C:\Users\user\AppData\Roaming\filename.exe
C:\Users\user\AppData\Roaming\filename.exe:Zone.Identifier
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NEW_ORDE.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index23
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CLASSES_ROOT\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index23
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server\(Default)
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
clr.dll.SetRuntimeInfo
clr.dll._CorExeMain
mscoree.dll.CreateConfigStream
mscoreei.dll.CreateConfigStream
kernel32.dll.GetNumaHighestNodeNumber
kernel32.dll.FlsSetValue
kernel32.dll.FlsGetValue
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.SetThreadStackGuarantee
mscoree.dll.CLRCreateInstance
mscoreei.dll.CLRCreateInstance
shlwapi.dll.PathFindFileNameW
kernel32.dll.IsWow64Process
kernel32.dll.GetSystemWindowsDirectoryW
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddSIDToBoundaryDescriptor
kernel32.dll.CreateBoundaryDescriptorW
kernel32.dll.CreatePrivateNamespaceW
kernel32.dll.OpenPrivateNamespaceW
kernel32.dll.DeleteBoundaryDescriptor
kernel32.dll.WerRegisterRuntimeExceptionModule
kernel32.dll.RaiseException
kernel32.dll.AddVectoredExceptionHandler
kernel32.dll.RemoveVectoredExceptionHandler
kernel32.dll.AddVectoredContinueHandler
kernel32.dll.RemoveVectoredContinueHandler
mscoree.dll.#24
mscoreei.dll.#24
ntdll.dll.NtSetSystemInformation
kernel32.dll.GetWriteWatch
kernel32.dll.ResetWriteWatch
kernel32.dll.CreateMemoryResourceNotification
kernel32.dll.QueryMemoryResourceNotification
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
kernel32.dll.GetNativeSystemInfo
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
ole32.dll.CoGetContextToken
clrjit.dll.sxsJitStartup
clrjit.dll.getJit
kernel32.dll.QueryThreadCycleTime
kernel32.dll.GetLocaleInfoEx
kernel32.dll.LocaleNameToLCID
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetUserPreferredUILanguages
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
kernel32.dll.FindResourceA
kernel32.dll.SizeofResource
kernel32.dll.LoadResource
kernel32.dll.LockResource
shell32.dll.SHGetFolderPathW
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
kernel32.dll.GetFullPathNameW
kernel32.dll.SetThreadErrorMode
kernel32.dll.GetFileAttributesExW
kernel32.dll.CopyFileW
kernel32.dll.DeleteFileA
kernel32.dll.WideCharToMultiByte
kernel32.dll.VirtualAlloc
advapi32.dll.CryptAcquireContextW
advapi32.dll.CryptCreateHash
advapi32.dll.CryptDecrypt
advapi32.dll.CryptDeriveKey
advapi32.dll.CryptDestroyHash
advapi32.dll.CryptDestroyKey
advapi32.dll.CryptHashData
advapi32.dll.CryptReleaseContext
user32.dll.MessageBoxA
ole32.dll.CoCreateInstance
version.dll.GetFileVersionInfoSizeW
diasymreader.dll.DllGetClassObject
Startup_shellcode_006

Binary Entropy

PE Information

Image Base 0x00400000
Entry Point 0x0045763e
Reported Checksum 0x000eb8e7
Actual Checksum 0x000eb8e7
Minimum OS Version 4.0
Compile Time 2019-07-27 07:32:33
Import Hash f34d5f2d4577ed6d9ceec516c1f5a744

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00002000 0x00055644 0x00055800 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.90
.rsrc 0x00058000 0x00090124 0x00090200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 6.29
.reloc 0x000ea000 0x0000000c 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 0.10

Imports

Library mscoree.dll:
0x402000 _CorExeMain

.text
`.rsrc
@.reloc
_bfj_m*
+FrPL
+.r\L
j. +0rVP
p*rOA
v4.0.30319
#Strings
#GUID
#Blob
,i<i*
hipi*
*vGI*
7vpi&
5R@R1
GS@R1
zS@R1
OSV&!
VSZ&!
pzZ;1
jqItRhWhJxmstUgbma
mscorlib
System.Core
System
NServiceKit.Interfaces
NServiceKit.Text
System.Web
System.Runtime.Serialization
System.ServiceModel
System.Xml
System.Xml.Linq
System.ServiceModel.Web
<Module>
ParameterizedThreadStart
IFormatter
Object
IAppIdAuthority
.ctor
.cctor
StoreCategoryEnumeration
HashElementEntryFieldId
TypedReference
AppDomainSortingSetupInfo
IEnumSTORE_DEPLOYMENT_METADATA
SystemTime
SafeBuffer
SurrogateForCyclicalReference
IDependentOSMetadataEntry
CS$<>9__CachedAnonymousMethodDelegate1
Func`2
CompilerGeneratedAttribute
System.Runtime.CompilerServices
Enumerable
System.Linq
Select
IEnumerable`1
System.Collections.Generic
ToArray
<Awake>b__12_0add_OnRockedInitializedget_Syntax
Convert
ToInt32
get_AllowedCallerTranslateLoad
MDTable
EnumerableTypeInfo2
smallResulte__FixedBuffer
PlatformNotSupportedException
SNI_PacketSNI_Packet
UInt64ArrayTypeInfo
ComponentManagerBroker
String
Concat
get_Chars
Substring
ICustomPropertyProviderImpl
DateTimeFormatInfo
Assembly
System.Reflection
get_EntryPoint
MethodInfo
MethodBase
Invoke
set_CustomURLLogWarningget_Location
tagDBPROPINFOSET
FromBase64String
Saveset_ConnectedTimeget_Syntax
IEnumSTORE_ASSEMBLY
GetAssembliesFromDirectoryget_SteamID64ParseUInt64
ExternalLogReloadadd_OnRockedInitialized
DefaultModuleContext
Attribute
ActionExecExtensions
NServiceKit.Common
WaitCallback
System.Threading
CS$<>9__CachedAnonymousMethodDelegate3
Converter`2
IAsyncResult
WaitHandle
Action
IEnumerator`1
ICollection`1
get_Count
GetEnumerator
get_Current
BeginInvoke
AsyncCallback
get_AsyncWaitHandle
IEnumerator
System.Collections
MoveNext
IDisposable
Dispose
ExecAllAndWait
TimeSpan
actions
timeout
ExtensionAttribute
List`1
AutoResetEvent
ThreadPool
QueueUserWorkItem
ExecAsync
WaitAll
waitHandles
timeoutMs
get_TotalMilliseconds
ConvertAll
asyncResults
ArgumentNullException
Thread
get_CurrentThread
GetApartmentState
ApartmentState
WaitOne
timeOutMs
<ExecAsync>b__0
<WaitAll>b__2
AssertExtensions
ThrowOnFirstNull
ParamArrayAttribute
ThrowIfNull
varName
ThrowIfNullOrEmpty
strValue
IsNullOrEmpty
ICollection
collection
ArgumentException
ByteArrayExtensions
AreEqual
RsaKeyLengths
value__
Bit1024
Bit2048
Bit4096
RsaKeyPair
<PrivateKey>k__BackingField
<PublicKey>k__BackingField
get_PrivateKey
set_PrivateKey
value
get_PublicKey
set_PublicKey
PrivateKey
PublicKey
CryptUtils
Length
KeyPair
Encrypt
Decrypt
StringBuilder
System.Text
RSACryptoServiceProvider
System.Security.Cryptography
AsymmetricAlgorithm
FromXmlString
Encoding
get_Unicode
GetBytes
Create
HashAlgorithm
ComputeHash
Buffer
BlockCopy
Array
Reverse
ToBase64String
Append
ToString
publicKey
length
ArrayList
get_Length
AddRange
GetTypeFromHandle
RuntimeTypeHandle
GetString
privateKey
ToXmlString
CreatePublicAndPrivateKeyPair
DictionaryExtensions
Dictionary`2
ContainsKey
get_Item
GetValueOrDefault
dictionary
KeyValuePair`2
Enumerator
get_Key
get_Value
Action`2
ForEach
onEachFn
IDictionary`2
TryGetValue
Equals
EquivalentTo
thisMap
otherMap
createFn
Func`3
<ConvertAll>b__0
Action`1
Monitor
Enter
set_Item
GetOrAdd
PairWith
<>c__DisplayClass1`3
DirectoryInfoExtensions
FileSystemInfo
System.IO
get_FullName
GetMatchingFiles
DirectoryInfo
rootDirPath
fileSearchPattern
<GetMatchingFiles>d__0
IEnumerable
<>2__current
<>1__state
<>l__initialThreadId
<>3__rootDirPath
<>3__fileSearchPattern
<pending>5__1
Queue`1
<paths>5__2
<filePath>5__3
<>7__wrap5
<>7__wrap6
get_ManagedThreadId
System.Collections.Generic.IEnumerable<System.String>.GetEnumerator
DebuggerHiddenAttribute
System.Diagnostics
System.Collections.IEnumerable.GetEnumerator
FileAttributes
Enqueue
Dequeue
Directory
GetFiles
GetDirectories
GetAttributes
System.Collections.Generic.IEnumerator<System.String>.get_Current
NotSupportedException
System.Collections.IEnumerator.Reset
Reset
System.IDisposable.Dispose
System.Collections.IEnumerator.get_Current
<>m__Finally4
System.Collections.Generic.IEnumerator<System.String>.Current
System.Collections.IEnumerator.Current
DisposableExtensions
Exception
GetType
Format
NServiceKit.Logging
Error
resources
disposables
disposable
runActionThenDispose
EnumerableExtensions
IsEmpty
HashSet`1
ToHashSet
items
SafeConvertAll
converter
ToObjects
FirstNonDefaultOrEmpty
values
FirstNonDefault
thisList
otherList
<>3__sequence
<>3__batchSize
BatchesOf
sequence
batchSize
ToSafeDictionary
ToDictionary
<BatchesOf>d__0`1
<batch>5__1
<item>5__2
<>7__wrap3
System.Collections.Generic.IEnumerable<T[]>.GetEnumerator
Clear
System.Collections.Generic.IEnumerator<T[]>.get_Current
System.Collections.Generic.IEnumerator<T[]>.Current
EnumExtensions
MemberInfo
GetMember
DescriptionAttribute
System.ComponentModel
GetCustomAttributes
get_Description
ToDescription
GetNames
ToList
GetUnderlyingType
Int32
Int64
get_Name
StringExtensions
Remove
ExecExtensions
LogManager
GetLogger
get_Message
LogError
declaringType
clientMethodName
ExecAll
instances
action
ExecAllWithFirstOut
firstResult
ExecReturnFirstWithResult
DateTime
get_UtcNow
Func`1
Nullable`1
get_HasValue
op_Subtraction
op_LessThan
TimeoutException
RetryUntilTrue
timeOut
RetryOnException
maxRetries
Random
NewGuid
GetHashCode
Sleep
SleepBackOffMultiplier
DelegateFactory
NServiceKit.Common.Expressions
ParameterExpression
System.Linq.Expressions
MethodCallExpression
Expression`1
Expression
Parameter
get_DeclaringType
UnaryExpression
Lambda
Compile
method
GetParameters
ParameterInfo
CreateParameterExpressions
argumentsParameter
get_ReturnParameter
get_ParameterType
CreateVoid
LateBoundMethod
MulticastDelegate
object
target
arguments
callback
EndInvoke
result
LateBoundVoid
<>c__DisplayClass1
Constant
ConstantExpression
ArrayIndex
BinaryExpression
<CreateParameterExpressions>b__0
parameter
index
ExtensionsProxy
NServiceKit.Common.Extensions
ObsoleteAttribute
CollectionExtensions
First
IntExtensions
Times
times
actionFn
TimesAsync
TranslatorExtensions
ITranslator`2
NServiceKit.DesignPatterns.Translator
Parse
ParseAll
translator
ToEnum
ToEnumOrDefault
defaultValue
SplitCamelCase
ToEnglish
camelCase
EqualsIgnoreCase
other
ReplaceFirst
haystack
needle
replacement
ReplaceAll
ContainsAny
testMatches
SafeVarName
delimeter
HostContext
Instance
IDictionary
ThreadStaticAttribute
HttpContext
get_Items
set_Items
Contains
GetOrCreate
EndRequest
IService
NServiceKit.ServiceHost
TrackDisposable
instance
Items
DispsableTracker
HashId
WeakReference
get_Target
get_IsAlive
<Times>d__0
<>3__times
<i>5__1
System.Collections.Generic.IEnumerable<System.Int32>.GetEnumerator
System.Collections.Generic.IEnumerator<System.Int32>.get_Current
System.Collections.Generic.IEnumerator<System.Int32>.Current
IPAddressExtensions
IPAddress
System.Net
GetAddressBytes
GetBroadcastAddress
address
subnetMask
GetNetworkAddress
GetNetworkAddressBytes
ipAdressBytes
subnetMaskBytes
get_AddressFamily
AddressFamily
System.Net.Sockets
IsInSameIpv6Subnet
address2
address1Bytes
address2Bytes
IsInSameIpv4Subnet
NetworkInterface
System.Net.NetworkInformation
UnicastIPAddressInformation
GetAllNetworkInterfaces
GetIPProperties
IPInterfaceProperties
get_UnicastAddresses
UnicastIPAddressInformationCollection
IPAddressInformation
get_Address
get_IPv4Mask
GetAllNetworkInterfaceIpv4Addresses
GetAllNetworkInterfaceIpv6Addresses
ClientFactory
NServiceKit.Messaging
StartsWith
IndexOf
NotImplementedException
IOneWayClient
NServiceKit.Service
endpointUrl
IMessageHandler
get_MessageType
Process
IMessageQueueClient
mqClient
ProcessQueue
queueName
doNext
GetStats
IMessageHandlerStats
MessageType
IMessageHandlerDisposer
DisposeMessageHandler
messageHandler
IMessageHandlerFactory
CreateMessageHandler
InMemoryMessageQueueClient
IMessageProducer
factory
QueueNames`1
get_In
Message`1
Publish
messageBody
IMessage`1
message
messageBytes
Notify
GetAsync
WaitForNotifyOnAny
channelNames
InMemoryTransientMessageFactory
IMessageFactory
IMessageQueueClientFactory
transientMessageService
<MqFactory>k__BackingField
get_MqFactory
set_MqFactory
CreateMessageProducer
CreateMessageQueueClient
CreateMessageService
IMessageService
DebugFormat
MqFactory
InMemoryMessageProducer
parent
TransientMessageServiceBase
DefaultRetryCount
isRunning
handlerMap
messageHandlers
<RetryCount>k__BackingField
<RequestTimeOut>k__BackingField
<PoolSize>k__BackingField
CS$<>9__CachedAnonymousMethodDelegate5
get_RetryCount
set_RetryCount
get_RequestTimeOut
set_RequestTimeOut
get_PoolSize
set_PoolSize
get_MessageFactory
retryAttempts
requestTimeOut
RegisterHandler
processMessageFn
processExceptionEx
MessageHandlerStats
get_Keys
KeyCollection
get_RegisteredTypes
GetStatus
AppendLine
GetStatsDescription
CreateMessageHandlerFactory
get_Values
ValueCollection
Start
<Start>b__4
RetryCount
RequestTimeOut
PoolSize
MessageFactory
RegisteredTypes
total
<GetStats>b__0
InMemoryTransientMessageService
<Factory>k__BackingField
get_Factory
set_Factory
EventHandler`1
EventArgs
factory_MessageReceived
sender
get_MessageQueueFactory
Factory
MessageQueueFactory
MessageExtensions
ToMessageFnCache
get_UTF8
bytes
MakeGenericType
PlatformExtensions
GetPublicStaticMethod
MakeDelegate
Delegate
Interlocked
CompareExchange
ReferenceEquals
GetToMessageFn
IMessage
ToMessage
ofType
JsonSerializer
DeserializeFromString
SerializeToString
ToBytes
get_Priority
get_Body
QueueNames
ToInQueueName
ToMessageDelegate
param
MessageExtensions`1
ConvertToMessage
oBytes
MessageHandler`1
messageService
processInExceptionFn
retryCount
<ReplyClientFactory>k__BackingField
<PublishResponsesWhitelist>k__BackingField
<TotalMessagesProcessed>k__BackingField
<TotalMessagesFailed>k__BackingField
<TotalRetries>k__BackingField
<TotalNormalMessagesReceived>k__BackingField
<TotalPriorityMessagesReceived>k__BackingField
<TotalOutMessagesReceived>k__BackingField
<LastMessageProcessed>k__BackingField
<ProcessQueueNames>k__BackingField
<MqClient>k__BackingField
get_ReplyClientFactory
set_ReplyClientFactory
get_PublishResponsesWhitelist
set_PublishResponsesWhitelist
get_TotalMessagesProcessed
set_TotalMessagesProcessed
get_TotalMessagesFailed
set_TotalMessagesFailed
get_TotalRetries
set_TotalRetries
get_TotalNormalMessagesReceived
set_TotalNormalMessagesReceived
get_TotalPriorityMessagesReceived
set_TotalPriorityMessagesReceived
get_TotalOutMessagesReceived
set_TotalOutMessagesReceived
get_LastMessageProcessed
set_LastMessageProcessed
get_ProcessQueueNames
set_ProcessQueueNames
get_MqClient
set_MqClient
DefaultInExceptionHandler
ProcessMessage
UnRetryableMessagingException
get_RetryAttempts
set_RetryAttempts
MessagingException
ToMessageError
MessageError
set_Error
get_Dlq
MessageOption
Message
get_Options
get_Out
responseType
get_ReplyTo
<ProcessMessage>b__0
SendOneWay
get_Id
set_ReplyId
ReplyClientFactory
PublishResponsesWhitelist
TotalMessagesProcessed
TotalMessagesFailed
TotalRetries
TotalNormalMessagesReceived
TotalPriorityMessagesReceived
TotalOutMessagesReceived
LastMessageProcessed
ProcessQueueNames
MqClient
<>c__DisplayClass2
op_Equality
publishResponse
MessageHandlerFactory`1
processExceptionFn
<RequestFilter>k__BackingField
<ResponseFilter>k__BackingField
get_RequestFilter
set_RequestFilter
get_ResponseFilter
set_ResponseFilter
<CreateMessageHandler>b__2
RequestFilter
ResponseFilter
MessageQueueClientFactory
syncLock
MessageReceived
queueMessageBytesMap
Combine
add_MessageReceived
remove_MessageReceived
InvokeMessageReceived
PublishMessage
GetMessageAsync
Client
NServiceKit.Messaging.Rcon
OnDisconnected
_sock
Socket
_sequenceID
_registeredCallbacks
<Endpoint>k__BackingField
IPEndPoint
<LastException>k__BackingField
<Connected>k__BackingField
add_OnDisconnected
remove_OnDisconnected
rconEndpoint
SocketAsyncEventArgs
EndPoint
SocketType
ProtocolType
Connect
set_UserToken
SetBuffer
add_Completed
ReceiveAsync
readEventArgs_Completed
get_UserToken
get_BytesTransferred
get_SocketError
SocketError
get_Offset
BitConverter
ToUInt32
ProcessReceive
readingSock
ProcessPacket
packet
userToken
Close
Disconnect
get_AssemblyQualifiedName
request
SendAsync
InternalSend
words
sendEventArgs_Completed
ProcessSend
get_Endpoint
set_Endpoint
get_LastException
set_LastException
get_Connected
set_Connected
get_SequenceID
Endpoint
LastException
Connected
SequenceID
OnDisconnectedHandler
response
NotConnectedException
Packet
<FromServer>k__BackingField
<IsResponse>k__BackingField
<Sequence>k__BackingField
<Words>k__BackingField
get_FromServer
set_FromServer
get_IsResponse
set_IsResponse
get_Sequence
set_Sequence
get_Words
set_Words
FromServer
IsResponse
Sequence
Words
PacketCodec
DecodePacket
UInt32
DecodeHeader
DecodeWords
EncodePacket
fromServer
isResponse
EncodeHeader
EncodeWords
ProcessingClient
thePacket
theClient
theServer
givenPacket
client
server
IsAssignableFrom
MinValue
Server
_listener
_localEndpoint
<MessageFactory>k__BackingField
localEndpoint
set_MessageFactory
Listen
AcceptAsync
Shutdown
SocketShutdown
sequenceID
acceptArgs_Completed
get_AcceptSocket
set_AcceptSocket
ProcessAccept
serverSock
ClientDisconnected
<>4__this
<>c__DisplayClass3
CS$<>8__locals2
fullPacket
<ProcessReceive>b__0
param0
ClientSocketState
Header
CompleteMessage
ReadHeader
MessageLength
RouteMember
NServiceKit.ServiceClient.Web
GetValue
excludeDefault
FieldRouteMember
field
FieldInfo
get_FieldType
ReflectionExtensions
GetDefaultValue
PropertyRouteMember
property
PropertyInfo
get_PropertyType
MetadataTypesConfig
NServiceKit.Common.ServiceModel
<BaseUrl>k__BackingField
<MakePartial>k__BackingField
<MakeVirtual>k__BackingField
<AddReturnMarker>k__BackingField
<AddDescriptionAsComments>k__BackingField
<AddDataContractAttributes>k__BackingField
<MakeDataContractsExtensible>k__BackingField
<AddIndexesToDataMembers>k__BackingField
<InitializeCollections>k__BackingField
<AddImplicitVersion>k__BackingField
<AddResponseStatus>k__BackingField
<AddDefaultXmlNamespace>k__BackingField
<DefaultNamespaces>k__BackingField
baseUrl
makePartial
makeVirtual
addReturnMarker
convertDescriptionToComments
addDataContractAttributes
makeDataContractsExtensible
addIndexesToDataMembers
addDefaultXmlNamespace
initializeCollections
addResponseStatus
addImplicitVersion
get_BaseUrl
set_BaseUrl
get_MakePartial
set_MakePartial
get_MakeVirtual
set_MakeVirtual
get_AddReturnMarker
set_AddReturnMarker
get_AddDescriptionAsComments
set_AddDescriptionAsComments
get_AddDataContractAttributes
set_AddDataContractAttributes
get_MakeDataContractsExtensible
set_MakeDataContractsExtensible
get_AddIndexesToDataMembers
set_AddIndexesToDataMembers
get_InitializeCollections
set_InitializeCollections
get_AddImplicitVersion
set_AddImplicitVersion
get_AddResponseStatus
set_AddResponseStatus
get_AddDefaultXmlNamespace
set_AddDefaultXmlNamespace
get_DefaultNamespaces
set_DefaultNamespaces
BaseUrl
MakePartial
MakeVirtual
AddReturnMarker
AddDescriptionAsComments
AddDataContractAttributes
MakeDataContractsExtensible
AddIndexesToDataMembers
InitializeCollections
AddImplicitVersion
AddResponseStatus
AddDefaultXmlNamespace
DefaultNamespaces
MetadataTypes
<Version>k__BackingField
<Config>k__BackingField
<Types>k__BackingField
<Operations>k__BackingField
get_Version
set_Version
get_Config
set_Config
get_Types
set_Types
get_Operations
set_Operations
Version
Config
Types
Operations
MetadataOperationType
<Actions>k__BackingField
<Request>k__BackingField
<Response>k__BackingField
get_Actions
set_Actions
get_Request
set_Request
get_Response
set_Response
Actions
Request
Response
MetadataType
<Name>k__BackingField
<Namespace>k__BackingField
<GenericArgs>k__BackingField
<Inherits>k__BackingField
<InheritsGenericArgs>k__BackingField
<Description>k__BackingField
<ReturnVoidMarker>k__BackingField
<ReturnMarkerGenericArgs>k__BackingField
<Routes>k__BackingField
<DataContract>k__BackingField
<Properties>k__BackingField
<Attributes>k__BackingField
set_Name
get_Namespace
set_Namespace
get_GenericArgs
set_GenericArgs
get_Inherits
set_Inherits
get_InheritsGenericArgs
set_InheritsGenericArgs
set_Description
get_ReturnVoidMarker
set_ReturnVoidMarker
get_ReturnMarkerGenericArgs
set_ReturnMarkerGenericArgs
get_Routes
set_Routes
get_DataContract
set_DataContract
get_Properties
set_Properties
get_Attributes
set_Attributes
Namespace
GenericArgs
Inherits
InheritsGenericArgs
Description
ReturnVoidMarker
ReturnMarkerGenericArgs
Routes
DataContract
Properties
Attributes
MetadataRoute
<Path>k__BackingField
<Verbs>k__BackingField
<Notes>k__BackingField
<Summary>k__BackingField
get_Path
set_Path
get_Verbs
set_Verbs
get_Notes
set_Notes
get_Summary
set_Summary
Verbs
Notes
Summary
MetadataDataContract
MetadataDataMember
<Order>k__BackingField
<IsRequired>k__BackingField
<EmitDefaultValue>k__BackingField
get_Order
set_Order
get_IsRequired
set_IsRequired
get_EmitDefaultValue
set_EmitDefaultValue
Order
IsRequired
EmitDefaultValue
MetadataPropertyType
<Type>k__BackingField
<Value>k__BackingField
<DataMember>k__BackingField
get_Type
set_Type
set_Value
get_DataMember
set_DataMember
Value
DataMember
MetadataAttribute
<ConstructorArgs>k__BackingField
<Args>k__BackingField
get_ConstructorArgs
set_ConstructorArgs
get_Args
set_Args
ConstructorArgs
Model
NServiceKit
entity
ToUrn
ToSafePathCacheKey
idValue
ModelConfig`1
CanGetId
getIdFn
ConcurrentDictionary`2
NServiceKit.Net30.Collections.Concurrent
comparer
IEqualityComparer`1
internalDictionary
CS$<>9__CachedAnonymousMethodDelegatee
CS$<>9__CachedAnonymousMethodDelegate10
EqualityComparer`1
get_Default
concurrencyLevel
capacity
TryAdd
System.Collections.Generic.IDictionary<TKey,TValue>.Add
Insert
System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<TKey,TValue>>.Add
addValueFactory
updateValueFactory
<AddOrUpdate>b__0
<AddOrUpdate>b__1
InsertOrUpdate
AddOrUpdate
addValue
<AddOrUpdate>b__4
updateValue
KeyNotFoundException
comparisonValue
<TryUpdate>b__7
TryUpdate
newValue
valueFactory
<GetOrAdd>b__a
InsertOrGet
Delete
TryRemove
System.Collections.Generic.IDictionary<TKey,TValue>.Remove
System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<TKey,TValue>>.Remove
System.Collections.IDictionary.Contains
System.Collections.IDictionary.Remove
System.Collections.IDictionary.get_Item
System.Collections.IDictionary.set_Item
System.Collections.IDictionary.Add
System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<TKey,TValue>>.Contains
get_IsEmpty
System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<TKey,TValue>>.get_IsReadOnly
get_IsReadOnly
System.Collections.IDictionary.get_IsReadOnly
<get_Keys>b__d
GetPart
<get_Values>b__f
System.Collections.IDictionary.get_Keys
System.Collections.IDictionary.get_Values
AsReadOnly
ReadOnlyCollection`1
System.Collections.ObjectModel
extractor
CopyTo
System.Collections.ICollection.CopyTo
array
startIndex
System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<TKey,TValue>>.CopyTo
GetEnumeratorInternal
System.Collections.IDictionary.GetEnumerator
IDictionaryEnumerator
System.Collections.ICollection.get_SyncRoot
get_SyncRoot
System.Collections.IDictionary.get_IsFixedSize
get_IsFixedSize
System.Collections.ICollection.get_IsSynchronized
get_IsSynchronized
System.Collections.IDictionary.Item
Count
System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<TKey,TValue>>.IsReadOnly
System.Collections.IDictionary.IsReadOnly
Values
System.Collections.IDictionary.Keys
System.Collections.IDictionary.Values
System.Collections.ICollection.SyncRoot
System.Collections.IDictionary.IsFixedSize
System.Collections.ICollection.IsSynchronized
DefaultMemberAttribute
ConcurrentDictionaryEnumerator
internalEnum
get_Entry
DictionaryEntry
Current
Entry
<>c__DisplayClass5
<>c__DisplayClass8
<>c__DisplayClassb
IProducerConsumerCollection`1
NServiceKit.Common.Net30
TryTake
ConcurrentQueue`1
count
syncRoot
ZeroOut
Increment
NServiceKit.Common.Net30.IProducerConsumerCollection<T>.TryAdd
Release
Decrement
TryDequeue
TryPeek
InternalGetEnumerator
NServiceKit.Common.Net30.IProducerConsumerCollection<T>.TryTake
DebuggerDisplayAttribute
NodeObjectPool
Creator
<InternalGetEnumerator>d__0
<my_head>5__1
System.Collections.Generic.IEnumerator<T>.get_Current
System.Collections.Generic.IEnumerator<T>.Current
ObjectPool`1
buffer
addIndex
removeIndex
SplitOrderedList`2
MaxLoad
BucketSize
buckets
reverseTable
logTable
SetBucket
InsertInternal
subKey
addGetter
updateGetter
dataCreator
ComputeRegularKey
GetBucket
InitializeBucket
ListInsert
current
ListFind
Marked
check
ListDelete
GetParent
ComputeDummyKey
EnterReadLock
CheckSegment
ExitReadLock
EnterWriteLock
Resize
ExitWriteLock
segment
readLockTaken
SubKey
ListSearch
startPoint
newNode
RuntimeHelpers
InitializeArray
RuntimeFieldHandle
wrapped
SimpleRwLock
ValueType
RwWait
RwWrite
RwRead
rwlock
<GetEnumerator>d__0
<node>5__1
SpinWait
maxTime
isSingleCpu
ntime
SpinOnce
Environment
get_ProcessorCount
SystemUtil
NServiceKit.Net30
ImmutableAttribute
AttributeUsageAttribute
AttributeTargets
ExtendTuple
get_Item1
get_Item2
tuple
get_Item3
AddTuple
first
second
third
fourth
Tuple`2
IEquatable`1
_item1
_item2
NullReferenceException
right
op_Inequality
Item1
Item2
Pair`2
Tuple`4
_item3
_item4
get_Item4
Item3
Item4
Quad`4
Tuple`3
Triple`3
Tuple
DebuggableAttribute
PopulateWith
PopulateWithNonDefaultValues
PopulateFromPropertiesWithAttribute
attrType
Activator
CreateInstance
TranslateTo
OfType
FirstOrDefault
IsDebugBuild
assembly
get_IsJITTrackingEnabled
<IsDebugBuild>b__0
PropertyAccessor
NServiceKit.Common.Reflection
GetPropertyFn
propertyName
SetPropertyFn
PropertyAccessor`1
getPropertyFn
setPropertyFn
<PropertyType>k__BackingField
set_PropertyType
GetPropertyInfo
ValueUnTypedGetPropertyTypeFn
ValueUnTypedSetPropertyTypeFn
TypedGetPropertyFn
ValueUnTypedGetPropertyFn
ValueTypedGetPropertyFn
UnTypedGetPropertyFn
TypedSetPropertyFn
ValueUnTypedSetPropertyFn
ValueTypesSetPropertyFn
UnTypedSetPropertyFn
PropertyType
StaticAccessors
MemberExpression
TypeAs
Property
GetValueGetter
propertyInfo
GetSetMethod
GetValueSetter
StaticAccessors`1
GetMethodInfo
typedPropertyFn
<ValueUnTypedGetPropertyFn>b__0
MakeGenericMethod
get_Method
<UnTypedGetPropertyFn>b__3
SetMethod
<ValueUnTypedSetPropertyFn>b__6
<UnTypedSetPropertyFn>b__9
<>c__DisplayClass1`1
<>c__DisplayClass4`1
<>c__DisplayClass7`1
<>c__DisplayClassa`1
AsyncServiceClient
DefaultTimeout
_webRequest
HttpWebRequest
BufferSize
<HttpWebRequestFilter>k__BackingField
<HttpWebResponseFilter>k__BackingField
HttpWebResponse
<OnAuthenticationRequired>k__BackingField
WebRequest
<Credentials>k__BackingField
ICredentials
<AlwaysSendBasicAuthHeader>k__BackingField
<StoreCookies>k__BackingField
<CookieContainer>k__BackingField
CookieContainer
<LocalHttpWebRequestFilter>k__BackingField
<LocalHttpWebResponseFilter>k__BackingField
<BaseUri>k__BackingField
<DisableAutoCompression>k__BackingField
<UserName>k__BackingField
<Password>k__BackingField
<Timeout>k__BackingField
<ContentType>k__BackingField
<StreamSerializer>k__BackingField
StreamSerializerDelegate
<StreamDeserializer>k__BackingField
StreamDeserializerDelegate
get_HttpWebRequestFilter
set_HttpWebRequestFilter
get_HttpWebResponseFilter
set_HttpWebResponseFilter
get_OnAuthenticationRequired
set_OnAuthenticationRequired
get_Credentials
set_Credentials
get_AlwaysSendBasicAuthHeader
set_AlwaysSendBasicAuthHeader
get_StoreCookies
set_StoreCookies
get_CookieContainer
set_CookieContainer
get_LocalHttpWebRequestFilter
set_LocalHttpWebRequestFilter
get_LocalHttpWebResponseFilter
set_LocalHttpWebResponseFilter
get_BaseUri
set_BaseUri
get_DisableAutoCompression
set_DisableAutoCompression
get_UserName
set_UserName
get_Password
set_Password
SetCredentials
userName
password
get_Timeout
set_Timeout
get_ContentType
set_ContentType
get_StreamSerializer
set_StreamSerializer
get_StreamDeserializer
set_StreamDeserializer
httpMethod
absoluteUrl
onSuccess
onError
Abort
CancelAsync
get_Headers
WebHeaderCollection
HttpRequestHeader
set_AutomaticDecompression
DecompressionMethods
AllowAutoCompression
webRequest
QueryStringSerializer
HttpMethod
OnSuccess
OnError
StartTimer
SendWebRequest
set_Accept
set_Method
BeginGetRequestStream
BeginGetResponse
SendWebRequestAsync
requestState
Stream
get_AsyncState
EndGetRequestStream
IRequestContext
RequestCallback
asyncResult
EndGetResponse
WebResponse
HandleSuccess
GetResponseStream
ResponseStream
BufferRead
BeginRead
RequestCount
ResponseCallback
MemoryStream
StreamReader
EndRead
BytesData
Write
Completed
set_Position
TextReader
ReadToEnd
Debug
HandleError
ReadCallBack
WebException
get_Status
WebExceptionStatus
get_StatusCode
HttpStatusCode
get_StatusDescription
StreamExtensions
ReadFully
FromUtf8Bytes
HandleResponseError
exception
ApplyWebResponseFilters
webResponse
ApplyWebRequestFilters
FromSeconds
HttpWebRequestFilter
HttpWebResponseFilter
OnAuthenticationRequired
Credentials
AlwaysSendBasicAuthHeader
StoreCookies
LocalHttpWebRequestFilter
LocalHttpWebResponseFilter
BaseUri
DisableAutoCompression
UserName
Password
Timeout
ContentType
StreamSerializer
StreamDeserializer
RequestState`1
_timedOut
TextData
Timer
StopTimer
TimedOut
TimerCallback
Change
state
NServiceKit.Common.ServiceClient.Web
IReturn`1
IReturn
<provider>k__BackingField
<State>k__BackingField
<oauth_token>k__BackingField
<oauth_verifier>k__BackingField
<RememberMe>k__BackingField
<Continue>k__BackingField
<nonce>k__BackingField
<uri>k__BackingField
<response>k__BackingField
<qop>k__BackingField
<nc>k__BackingField
<cnonce>k__BackingField
get_provider
set_provider
get_State
set_State
get_oauth_token
set_oauth_token
get_oauth_verifier
set_oauth_verifier
get_RememberMe
set_RememberMe
get_Continue
set_Continue
get_nonce
set_nonce
get_uri
set_uri
get_response
set_response
get_qop
set_qop
get_nc
set_nc
get_cnonce
set_cnonce
provider
DataMemberAttribute
State
oauth_token
oauth_verifier
RememberMe
Continue
nonce
cnonce
DataContractAttribute
AuthResponse
<SessionId>k__BackingField
<ReferrerUrl>k__BackingField
<ResponseStatus>k__BackingField
ResponseStatus
NServiceKit.ServiceInterface.ServiceModel
get_SessionId
set_SessionId
get_ReferrerUrl
set_ReferrerUrl
get_ResponseStatus
set_ResponseStatus
SessionId
ReferrerUrl
Registration
<FirstName>k__BackingField
<LastName>k__BackingField
<DisplayName>k__BackingField
<Email>k__BackingField
<AutoLogin>k__BackingField
get_FirstName
set_FirstName
get_LastName
set_LastName
get_DisplayName
set_DisplayName
get_Email
set_Email
get_AutoLogin
set_AutoLogin
FirstName
LastName
DisplayName
Email
AutoLogin
RegistrationResponse
<UserId>k__BackingField
get_UserId
set_UserId
UserId
NServiceKit.ServiceModel.Extensions
NameValueCollection
System.Collections.Specialized
get_AllKeys
GetValues
nameValues
GenericProxy`1
ClientBase`1
Initialize
endpoint
ServiceEndpoint
System.ServiceModel.Description
get_Binding
Binding
System.ServiceModel.Channels
EndpointAddress
get_Channel
get_Proxy
Proxy
Options
Patch
IDuplex
BeginSend
OperationContractAttribute
ServiceContractAttribute
IDuplexCallback
OnMessageReceived
IOneWay
requestMsg
ISyncReply
IWcfServiceClient
IServiceClient
IServiceClientAsync
IRestClientAsync
IReplyClient
get_Uri
set_Uri
SetProxy
proxyAddress
XmlReader
reader
JsonRestClientAsync
WithTrailingSlash
baseUri
DeserializeFromStream
SerializeToStream
requestContext
stream
GetUrl
relativeOrAbsoluteUrl
DeleteAsync
PostAsync
PutAsync
CustomMethodAsync
httpVerb
ServiceClientBase
IRestClient
DefaultHttpMethod
replyPath
oneWayPath
authInfo
httpWebRequestFilter
httpWebResponseFilter
asyncClient
disableAutoCompression
username
readWriteTimeout
credentials
alwaysSendBasicAuthHeader
storeCookies
_cookieContainer
allowAutoRedirect
ResponseHandlers
<Headers>k__BackingField
<SyncReplyBaseUri>k__BackingField
<AsyncOneWayBaseUri>k__BackingField
<HttpMethod>k__BackingField
<Proxy>k__BackingField
IWebProxy
<onAuthenticationRequired>k__BackingField
<localHttpWebRequestFilter>k__BackingField
<localHttpWebResponseFilter>k__BackingField
set_UseNewPredefinedRoutes
set_Headers
syncReplyBaseUri
asyncOneWayBaseUri
SetBaseUri
format
get_Format
get_SyncReplyBaseUri
set_SyncReplyBaseUri
get_AsyncOneWayBaseUri
set_AsyncOneWayBaseUri
get_ReadWriteTimeout
set_ReadWriteTimeout
get_Accept
get_HttpMethod
set_HttpMethod
set_Proxy
get_AllowAutoRedirect
set_AllowAutoRedirect
get_onAuthenticationRequired
set_onAuthenticationRequired
get_localHttpWebRequestFilter
set_localHttpWebRequestFilter
get_localHttpWebResponseFilter
set_localHttpWebResponseFilter
IReturnVoid
requestUri
GetResponse
<Send>b__1
HandleResponseException
createWebRequest
getResponse
GetMethod
BindingFlags
CreateDelegate
ThrowResponseTypeException
ThrowWebServiceException
SendRequest
PrepareWebRequest
sendRequestAction
DownloadBytes
PatchAsync
<Send>b__c
ToUpper
CustomMethod
FileStream
FileInfo
OpenRead
PostFileWithRequest
fileToUpload
fileName
get_Position
<PostFileWithRequest>b__12
SeekOrigin
PostFile
mimeType
<PostFile>b__17
<PostFile>b__18
ChangeType
HandleResponse
<Send>b__2
<Send>b__d
<PostFileWithRequest>b__13
UseNewPredefinedRoutes
Headers
SyncReplyBaseUri
AsyncOneWayBaseUri
ReadWriteTimeout
Accept
AllowAutoRedirect
onAuthenticationRequired
localHttpWebRequestFilter
localHttpWebResponseFilter
<>c__DisplayClass5`1
<>c__DisplayClassa
GetRequestStream
<SendRequest>b__9
<>c__DisplayClass10`1
<>c__DisplayClass15`1
HttpUtility
ParseQueryString
get_Ticks
CultureInfo
System.Globalization
get_InvariantCulture
IFormatProvider
FormatWith
<>c__DisplayClass1a`1
JsonServiceClient
JsvRestClientAsync
TypeSerializer
JsvServiceClient
StreamWriter
SerializeToWriter
TextWriter
DeserializeFromReader
WcfServiceClient
XPATH_SOAP_FAULT
XPATH_SOAP_FAULT_REASON
NAMESPACE_SOAP
NAMESPACE_SOAP_ALIAS
<Uri>k__BackingField
get_MessageVersion
MessageVersion
XmlNamespaceManager
XmlDocument
get_NameTable
XmlNameTable
AddNamespace
GetNamespaceManager
XmlNode
SelectSingleNode
get_FirstChild
get_InnerXml
CreateException
ContractDescription
get_SyncReply
CreateMessage
get_ChannelFactory
ChannelFactory`1
ChannelFactory
get_Behaviors
KeyedByTypeCollection`1
IEndpointBehavior
Collection`1
MessageBuffer
CreateBufferedCopy
GetBody
GetReaderAtBodyContents
XmlDictionaryReader
get_ErrorCode
get_InnerException
IHasResponseStatus
GetProperty
GetResponseStatus
SyncReply
Soap11ServiceClient
binding
BasicHttpBinding
set_MaxReceivedMessageSize
set_HostNameComparisonMode
HostNameComparisonMode
get_BasicHttpBinding
set_ProxyAddress
set_UseDefaultWebProxy
set_BypassProxyOnLocal
Soap12ServiceClient
WSHttpBinding
WSHttpBindingBase
set_MaxBufferPoolSize
get_Security
WSHttpSecurity
set_Mode
SecurityMode
set_AllowCookies
get_WsHttpBinding
WsHttpBinding
UrlExtensions
routesCache
CS$<>9__CachedAnonymousMethodDelegate4
CS$<>9__CachedAnonymousMethodDelegate6
InvalidOperationException
Where
Empty
ToUrl
formatFallbackToPredefinedRoute
TypeDescriptor
AttributeCollection
RouteAttribute
GetRoutesForType
requestType
FindMostSpecificRoute
routes
<ToUrl>b__1
<ToUrl>b__2
<ToUrl>b__3
<>c__DisplayClass7
<ToUrl>b__0
route
<GetRoutesForType>b__9
<>c__DisplayClassd
bestMatch
<FindMostSpecificRoute>b__c
RestRoute
PathSeparatorChar
VariablePrefix
VariablePrefixChar
VariablePostfix
VariablePostfixChar
ArrayBrackets
FormatVariable
FormatQueryParameterValue
queryProperties
variablesMap
<ErrorMsg>k__BackingField
<HttpMethods>k__BackingField
CS$<>9__CachedAnonymousMethodDelegateb
CS$<>9__CachedAnonymousMethodDelegatec
ToJsv
FormatValue
InvariantComparerIgnoreCase
StringComparer
Split
StringSplitOptions
TrimEnd
verbs
get_ErrorMsg
set_ErrorMsg
get_IsValid
get_HttpMethods
set_HttpMethods
get_Variables
ListExtensions
EndsWith
Replace
Apply
FormatQueryParameters
set_Length
GetQueryString
propertyMap
HasAttr
GetPublicProperties
get_CanRead
IsDefined
FirstAttribute
IgnoreDataMemberAttribute
ToCamelCase
JsConfig
get_IncludePublicFields
GetPublicFields
GetQueryProperties
GetUrlVariables
AppendError
EscapeDataString
<.cctor>b__9
<.cctor>b__a
ErrorMsg
IsValid
HttpMethods
Variables
<GetUrlVariables>d__0
<>3__path
<components>5__1
<component>5__2
<variableName>5__3
RouteResolutionResult
<FailReason>k__BackingField
<Route>k__BackingField
get_FailReason
set_FailReason
get_Route
set_Route
get_Matches
errorMsg
Success
get_VariableCount
get_PathLength
HasSameVariables
FailReason
Route
Matches
VariableCount
PathLength
<HasSameVariables>b__2
CookieManagerEndpointBehavior
AddBindingParameters
BindingParameterCollection
bindingParameters
get_ListenUri
get_AbsoluteUri
ClientRuntime
System.ServiceModel.Dispatcher
get_MessageInspectors
SynchronizedCollection`1
IClientMessageInspector
ApplyClientBehavior
clientRuntime
ApplyDispatchBehavior
EndpointDispatcher
endpointDispatcher
Validate
CookieManagerMessageInspector
cookieContainer
get_Instance
HttpResponseMessageProperty
MessageProperties
HttpResponseHeader
SetCookies
AfterReceiveReply
reply
correlationState
HttpRequestMessageProperty
GetCookieHeader
BeforeSendRequest
IClientChannel
channel
WebRequestExtensions
DownloadText
webRes
DownloadBinary
Console
WriteLine
GetErrorResponse
PostFileToUrl
uploadFileInfo
uploadFileMimeType
acceptContentType
requestFilter
PutFileToUrl
UploadFile
get_ServerUserAgent
set_UserAgent
set_KeepAlive
get_ASCII
set_ContentLength
fileStream
AuthenticationException
innerException
AuthenticationInfo
<method>k__BackingField
<realm>k__BackingField
<opaque>k__BackingField
get_method
set_method
get_realm
set_realm
get_opaque
set_opaque
ToLower
authHeader
realm
opaque
WebRequestUtils
ResponseDtoSuffix
CreateCustomException
ShouldAuthenticate
AddBasicAuth
CalculateMD5Hash
input
padNC
AddAuthInfo
get_RequestUri
get_PathAndQuery
AddDigestAuth
GetResponseDtoName
ErrorResponse
AssemblyUtils
FindType
GetTypeWithGenericTypeDefinitionOf
GenericTypeArguments
GetErrorResponseDtoType
WebServiceException
errorCode
errorMessage
serverStackTrace
<StatusCode>k__BackingField
<StatusDescription>k__BackingField
<ResponseDto>k__BackingField
<ResponseBody>k__BackingField
SerializationInfo
StreamingContext
context
set_StatusCode
set_StatusDescription
get_ResponseDto
set_ResponseDto
get_ResponseBody
set_ResponseBody
ParseResponseDto
TryGetResponseStatusFromResponseDto
responseStatus
TryGetResponseStatusFromResponseBody
get_ErrorMessage
get_ServerStackTrace
get_Errors
ResponseError
GetFieldErrors
StatusCode
StatusDescription
ResponseDto
ResponseBody
ErrorCode
ErrorMessage
ServerStackTrace
XLinqExtensions
XElement
CS$<>9__CachedAnonymousMethodDelegate7
CS$<>9__CachedAnonymousMethodDelegate9
Decimal
CS$<>9__CachedAnonymousMethodDelegated
CS$<>9__CachedAnonymousMethodDelegatef
op_Explicit
GetBool
GetBoolOrDefault
GetNullableBool
GetInt
GetIntOrDefault
GetNullableInt
GetLong
GetLongOrDefault
GetNullableLong
GetDecimal
GetDecimalOrDefault
GetNullableDecimal
GetDateTime
GetDateTimeOrDefault
GetNullableDateTime
GetTimeSpan
GetTimeSpanOrDefault
GetNullableTimeSpan
GetGuid
GetGuidOrDefault
GetNullableGuid
GetElementValueOrDefault
element
GetElement
AssertElementHasValue
XAttribute
XName
get_LocalName
AnyAttribute
XNode
XContainer
Nodes
XObject
get_NodeType
XmlNodeType
AllElements
AnyElement
elements
get_FirstNode
FirstElement
<GetString>b__0
<GetBoolOrDefault>b__2
<GetIntOrDefault>b__4
<GetLongOrDefault>b__6
<GetDecimalOrDefault>b__8
<GetDateTimeOrDefault>b__a
<GetTimeSpanOrDefault>b__c
<GetGuidOrDefault>b__e
XmlRestClientAsync
XmlSerializer
XmlServiceClient
XmlException
NServiceKit.ServiceModel
ToNameValueCollection
DataContractDeserializer
NServiceKit.ServiceModel.Serialization
IStringDeserializer
NServiceKit.DesignPatterns.Serialization
quotas
XmlDictionaryReaderQuotas
DataContractSerializer
CreateTextReader
XmlObjectSerializer
ReadObject
SerializationException
set_MaxStringContentLength
IStringSerializer
XmlTextWriter
set_Formatting
Formatting
WriteObject
XmlWriter
Flush
indentXml
DeflateStream
System.IO.Compression
CompressionMode
CompressToStream
Compress
JsonDataContractDeserializer
<TextSerializer>k__BackingField
ITextSerializer
<UseBcl>k__BackingField
get_TextSerializer
set_TextSerializer
get_UseBcl
set_UseBcl
DataContractJsonSerializer
System.Runtime.Serialization.Json
returnType
TextSerializer
UseBcl
JsonDataContractSerializer
UseSerializer
textSerializer
KeyValueDataContractDeserializer
typeStringMapSerializerMap
keyValuePairs
StringMapTypeDeserializer
propertySetterMap
ParseStringDelegate
NServiceKit.Text.Common
JsvReader
NServiceKit.Text.Jsv
GetParseFn
propertyType
SetPropertyDelegate
GetSerializableProperties
JsvDeserializeType
GetSetPropertyMethod
GetSerializableFields
GetSetFieldMethod
ToLowerInvariant
WarnFormat
GetTypeCode
TypeCode
SplitOnFirst
get_Data
PopulateFromMap
ignoredWarningsOnPropertyNames
CreateFromMap
<GetParseFn>b__0
<PopulateFromMap>b__4
PropertySerializerEntry
PropertySetFn
PropertyParseStringFn
propertySetFn
propertyParseStringFn
XmlSerializableDeserializer
System.Xml.Serialization
Deserialize
XmlSerializableSerializer
XmlSerializerWrapper
NServiceKit.ServiceModel.Support
serializer
defaultNS
objectType
IsStartObject
verifyObjectName
WriteEndObject
XmlDictionaryWriter
writer
WriteObjectContent
graph
WriteStartObject
Serialize
get_NamespaceURI
Compare
XmlRootAttribute
XmlTypeAttribute
XmlElementAttribute
GetNamespace
ValidationError
NServiceKit.Validation
IResponseStatusConvertible
<ErrorMessage>k__BackingField
<Violations>k__BackingField
IList`1
set_ErrorMessage
validationResult
validationError
AppendFormat
get_Violations
set_Violations
ToXml
fieldName
error
ThrowIfNotValid
ToResponseStatus
Violations
ValidationErrorField
<ErrorCode>k__BackingField
<FieldName>k__BackingField
<AttemptedValue>k__BackingField
attemptedValue
set_ErrorCode
get_FieldName
set_FieldName
get_AttemptedValue
set_AttemptedValue
FieldName
AttemptedValue
ValidationErrorResult
<SuccessCode>k__BackingField
<SuccessMessage>k__BackingField
<Errors>k__BackingField
get_Success
get_SuccessCode
set_SuccessCode
get_SuccessMessage
set_SuccessMessage
set_Errors
errors
successCode
Merge
SuccessCode
SuccessMessage
Errors
CS$<>9__CachedAnonymousMethodDelegate11
GetStringAttributeOrDefault
GetAttributeValueOrDefault
AssertExactlyOneResult
queryListItems
referenceNumber
formType
<GetStringAttributeOrDefault>b__2
<GetBoolOrDefault>b__4
<GetIntOrDefault>b__6
<GetLongOrDefault>b__8
<GetDecimalOrDefault>b__a
<GetDateTimeOrDefault>b__c
<GetTimeSpanOrDefault>b__e
<GetGuidOrDefault>b__10
DeflateProvider
IDeflateProvider
NServiceKit.CacheAccess
GZipProvider
IGZipProvider
compressionType
Decompress
gzBuffer
Deflate
Inflate
GUnzip
ToUtf8String
ToMd5Hash
PlatformRegexOptions
RegexOptions
System.Text.RegularExpressions
InvalidVarCharsRegex
Regex
SplitCamelCaseRegex
HttpRegex
SystemTypeChars
TrimStart
ToLowercaseUnderscore
ToInvariantUpper
ToHttps
StringComparison
CombineWith
thesePaths
LastIndexOf
ToParentPath
ToCharArray
RemoveCharFlags
charFlags
ToNullIfEmpty
IsClass
IndexOfAny
IsUserType
TryParse
IsInt
ToInt
ToInt64
pattern
<CombineWith>b__0
StringUtils
StripHtmlUnicodeRegEx
HtmlCharacterCodes
MatchEvaluator
ConvertHtmlCodes
Match
get_Groups
GroupCollection
Group
Capture
UInt16
NumberStyles
ConvertHtmlCodeToCharacter
match
ToChar
codePoint
ActionExecHandler
NServiceKit.Common.Support
ICommandExec
NServiceKit.DesignPatterns.Command
ICommand`1
waitHandle
EventWaitHandle
Execute
AdapterBase
get_Log
Double
ErrorFormat
AssignmentEntry
GetValueFn
SetValueFn
AssignmentMember
fieldInfo
methodInfo
GetGetValueFn
GetSetValueFn
<GetGetValueFn>b__0
SetValue
<GetSetValueFn>b__1
AssignmentDefinition
<FromType>k__BackingField
<ToType>k__BackingField
<AssignmentMemberMap>k__BackingField
get_FromType
set_FromType
get_ToType
set_ToType
get_AssignmentMemberMap
set_AssignmentMemberMap
AddMatch
readMember
writeMember
attributeType
Populate
IsGeneric
GenericTypeDefinition
IsEnum
ToObject
TranslateListWithElements
TryTranslateToGenericICollection
propertyInfoPredicate
valuePredicate
<PopulateWithNonDefaultValues>b__3
FromType
ToType
AssignmentMemberMap
CustomAttributes
<PopulateFromPropertiesWithAttribute>b__0
CommandExecsHandler
command
CommandResultsHandler`1
results
ICommandList`1
InMemoryLogFactory
ILogFactory
typeName
InMemoryLog
<LoggerName>k__BackingField
<CombinedLog>k__BackingField
<DebugEntries>k__BackingField
<DebugExceptions>k__BackingField
<InfoEntries>k__BackingField
<InfoExceptions>k__BackingField
<WarnEntries>k__BackingField
<WarnExceptions>k__BackingField
<ErrorEntries>k__BackingField
<ErrorExceptions>k__BackingField
<FatalEntries>k__BackingField
<FatalExceptions>k__BackingField
get_LoggerName
set_LoggerName
get_CombinedLog
set_CombinedLog
get_DebugEntries
set_DebugEntries
get_DebugExceptions
set_DebugExceptions
get_InfoEntries
set_InfoEntries
get_InfoExceptions
set_InfoExceptions
get_WarnEntries
set_WarnEntries
get_WarnExceptions
set_WarnExceptions
get_ErrorEntries
set_ErrorEntries
get_ErrorExceptions
set_ErrorExceptions
get_FatalEntries
set_FatalEntries
get_FatalExceptions
set_FatalExceptions
loggerName
get_HasExceptions
AppendToLog
logEntries
logExceptions
Fatal
FatalFormat
InfoFormat
get_IsDebugEnabled
LoggerName
CombinedLog
DebugEntries
DebugExceptions
InfoEntries
InfoExceptions
WarnEntries
WarnExceptions
ErrorEntries
ErrorExceptions
FatalEntries
FatalExceptions
HasExceptions
IsDebugEnabled
LogicFacadeBase
ILogicFacade
NServiceKit.LogicFacade
contexts
Stack`1
get_CurrentContext
get_IsCurrentlyInitializeOnly
AcquireInitContext
IInitContext
InitOptions
initOptions
CurrentContext
IsCurrentlyInitializeOnly
InitialisationContext
logicFacade
<InitialisedObject>k__BackingField
get_InitialisedObject
set_InitialisedObject
options
InitialisedObject
NetDeflateProvider
NetGZipProvider
GZipStream
PropertySetterDelegate
PropertyGetterDelegate
PropertyInvoker
get_ReflectedType
GetPropertySetterFn
GetPropertyGetterFn
TypeExtensions
TypePropertyNamesMap
GetPropertyNames
ToAttributes
get_Assembly
get_EscapedCodeBase
get_LocalPath
GetAssemblyPath
source
<GetPropertyNames>b__0
<ToAttributes>b__2
UrnId
FieldSeperator
FieldPartsSeperator
HasNoIdFieldName
HasIdFieldName
<TypeName>k__BackingField
<IdFieldValue>k__BackingField
<IdFieldName>k__BackingField
get_TypeName
set_TypeName
get_IdFieldValue
set_IdFieldValue
get_IdFieldName
set_IdFieldName
urnId
objectTypeName
idFieldValue
CreateWithParts
keyParts
idFieldName
GetStringId
GetGuidId
GetLongId
TypeName
IdFieldValue
IdFieldName
AssertUtils
NServiceKit.Common.Utils
AreNotNull
fields
fieldMap
CommandsUtils
ExecuteAsyncCommandList
commands
ExecuteCommandList
ExecuteCommandExec
ExecuteAsyncCommandExec
ResponseStatusUtils
set_Message
CreateResponseStatus
validationErrors
FuncUtils
TryExec
Stopwatch
StartNew
get_ElapsedMilliseconds
WaitWhile
condition
millisecondTimeout
millsecondPollPeriod
IdUtils`1
TypeFilter
<.cctor>b__0
FindInterfaces
GetId
<.cctor>b__1
<.cctor>b__3
get_IsGenericType
GetGenericTypeDefinition
IHasId`1
NServiceKit.DesignPatterns.Model
critera
<.cctor>b__2
HasPropertyId`1
GetIdFn
HasId`1
GetGenericArguments
HasIdGetter`2
IdUtils
IdField
GetObjectId
CreateUrn
PadLeft
DirSeparatorChar
CreateCacheKeyPath
PathUtils
GetDirectoryName
GetFullPath
MapAbsolutePath
relativePath
appendPartialPathModifier
MapProjectPath
MapHostAbsolutePath
CombinePaths
paths
Exists
CreateDirectory
AssertDir
dirPath
PerfUtils
Frequency
ToTimeSpan
fromTicks
Collect
GetTimestamp
Measure
iterations
CustomHttpResult
ReflectionUtils
MaxRecursionLevelForDefaultValues
DefaultValueTypes
AssignmentDefinitionCache
IHttpResult
IsArray
IsValueType
PopulateObject
GetPublicMembers
PopulateObjectInternal
recursionInfo
GetAssignmentDefinition
toType
fromType
GetAllPublicMembers
get_CanWrite
get_ReturnType
GetMembers
isReadable
SetProperty
get_IsLiteral
IsUnsettableValue
CreateDefaultValues
types
ConstructorInfo
get_IsArray
GetEmptyConstructor
CreateDefaultValue
GetGenericCollectionType
SetGenericCollection
realisedListType
genericObj
GetElementType
PopulateArray
IsInterface
Interfaces
BaseType
CanCast
<>3__fromType
GetPropertyAttributes
<GetGenericCollectionType>b__4
<GetAssignmentDefinition>b__1
<GetPropertyAttributes>d__6`1
<attributeType>5__7
<baseType>5__8
<propertyInfos>5__9
<propertyInfo>5__a
<attributes>5__b
<attribute>5__c
<>7__wrape
<>7__wrapf
<>7__wrap11
<>7__wrap12
System.Collections.Generic.IEnumerable<System.Collections.Generic.KeyValuePair<System.Reflection.PropertyInfo,T>>.GetEnumerator
AllProperties
<>m__Finally10
<>m__Finallyd
System.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.Reflection.PropertyInfo,T>>.get_Current
System.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.Reflection.PropertyInfo,T>>.Current
CompressedFileResult
NServiceKit.Common.Web
IStreamWriter
IHasOptions
Adler32ChecksumLength
DefaultContentType
<FilePath>k__BackingField
get_FilePath
set_FilePath
filePath
contentMimeType
FileMode
FileAccess
WriteTo
responseStream
FilePath
CompressedResult
<Contents>k__BackingField
<Status>k__BackingField
IContentTypeWriter
<RequestContext>k__BackingField
get_Contents
set_Contents
set_Status
get_RequestContext
set_RequestContext
contents
Contents
Status
RequestContext
CompressionTypes
Default
AllCompressionTypes
AssertIsValid
GetExtension
Utf8Suffix
HeaderContentType
FormUrlEncoded
MultiPartFormData
JsonReport
XmlText
Soap11
Soap12
JsonText
JavaScript
JsvText
YamlText
PlainText
MarkdownText
ProtoBuf
MsgPack
Binary
GetEndpointAttributes
EndpointAttributes
contentType
GetRealContentType
MatchesContentType
matchesContentType
IsBinary
ToFeature
Feature
GetContentFormat
ToContentFormat
ToContentType
formats
<Host>k__BackingField
<Port>k__BackingField
get_Host
set_Host
get_Port
set_Port
HttpError
IHttpError
statusCode
responseDto
NotFound
Unauthorized
Conflict
HttpHeaders
XParamOverridePrefix
XHttpMethodOverride
XUserAuthId
XForwardedFor
XRealIp
Referer
CacheControl
IfModifiedSince
IfNoneMatch
LastModified
AcceptEncoding
ContentEncoding
ContentLength
ContentDisposition
Location
SetCookie
Authorization
WwwAuthenticate
AllowOrigin
AllowMethods
AllowHeaders
AllowCredentials
AcceptRanges
ContentRange
Range
allVerbs
AllVerbs
HasVerb
GetEndpointAttribute
HttpResponseFilter
IContentTypeFilter
IContentTypeReader
UTF8EncodingWithoutBom
UTF8Encoding
ContentTypeSerializers
ContentTypeResponseSerializers
ResponseSerializerDelegate
ContentTypeDeserializers
<ContentTypeFormats>k__BackingField
CS$<>9__CachedAnonymousMethodDelegate8
ClearCustomFilters
get_ContentTypeFormats
set_ContentTypeFormats
GetFormatContentType
Register
streamSerializer
streamDeserializer
responseSerializer
SetContentTypeSerializer
SetContentTypeDeserializer
get_ResponseContentType
IHttpResponse
ToUtf8Bytes
SerializeToBytes
SerializeToResponse
httpResponse
GetResponseSerializer
GetStreamSerializer
fromStream
GetStreamDeserializer
<GetStreamSerializer>b__4
<GetStreamSerializer>b__5
<GetStreamSerializer>b__6
ContentTypeFormats
get_OutputStream
<GetResponseSerializer>b__1
httpReq
httpRes
HttpResponseStreamWrapper
<KeepOpen>k__BackingField
<Cookies>k__BackingField
ICookies
<OutputStream>k__BackingField
<IsClosed>k__BackingField
get_OriginalResponse
get_KeepOpen
set_KeepOpen
get_Cookies
set_Cookies
AddHeader
Redirect
set_OutputStream
ForceClose
get_IsClosed
set_IsClosed
SetContentLength
contentLength
OriginalResponse
KeepOpen
Cookies
OutputStream
IsClosed
HttpResult
IPartialWriter
allowsPartialResponse
<ResponseText>k__BackingField
<ResponseStream>k__BackingField
<FileInfo>k__BackingField
<View>k__BackingField
<Template>k__BackingField
statusDescription
fileResponse
asAttachment
get_CreationTimeUtc
get_LastWriteTimeUtc
get_LastAccessTimeUtc
responseText
responseBytes
get_ResponseText
set_ResponseText
get_ResponseStream
set_ResponseStream
get_FileInfo
set_FileInfo
set_AllowsPartialResponse
get_AllowsPartialResponse
ToUniversalTime
set_LastModified
set_Location
AddYears
SetPermanentCookie
SetSessionCookie
expiresIn
expiresAt
AddDays
DeleteCookie
get_View
set_View
get_Template
set_Template
GetHeader
get_IsPartialRequest
WritePartialTo
GetContentLength
Status201Created
newLocationUri
redirectStatus
DisposeStream
ResponseText
AllowsPartialResponse
Template
IsPartialRequest
HttpResultExtensions
ToDto
ToResponseDto
get_StackTrace
set_StackTrace
ToErrorResponse
httpError
IsErrorResponse
ExtractHttpRanges
rangeHeader
rangeStart
rangeEnd
AddHttpRangeResponseHeaders
get_CanSeek
toStream
start
MimeTypes
ExtensionMimeTypes
GetMimeType
fileNameOrExt
RequestContextExtensions
IHttpRequest
SetItem
GetItem
SerializationContext
<ResponseContentType>k__BackingField
<CompressionType>k__BackingField
headerName
get_IpAddress
Cookie
get_EndpointAttributes
get_RequestAttributes
IRequestAttributes
set_ResponseContentType
get_CompressionType
set_CompressionType
get_PathInfo
IFile
get_Files
IpAddress
RequestAttributes
ResponseContentType
CompressionType
AbsoluteUri
PathInfo
Files
CustomExtensions
IConvertible
<PrivateImplementationDetails>{01A7CFA4-CFCF-4893-80C1-E47F329B2A4A}
$$method0x6000752-1
$$method0x6000752-2
$$method0x60007a5-1
$$method0x6000655-1
$$method0x6000659-1
$$method0x6000686-1
$$method0x60006f6-1
__StaticArrayInitTypeSize=256
__StaticArrayInitTypeSize=6
TValue
TReturn
TEntity
TResponse
TAttr
XmlDto
DebuggingModes
RuntimeCompatibilityAttribute
CompilationRelaxationsAttribute
+Use NServiceKit.Common.ActionExecExtensions
'Use NServiceKit.Common.AssertExtensions
*Use NServiceKit.Common.ByteArrayExtensions
+Use NServiceKit.Common.DictionaryExtensions
+Use NServiceKit.Common.EnumerableExtensions
$Use NServiceKit.Common.IntExtensions
Use ConvertAll
'Use NServiceKit.Common.StringExtensions
Count={Count}
Inherited
AllowMultiple
({Item1},{Item2})
!({Item1},{Item2},{Item3},{Item4})
({Item1},{Item2},{Item3})
+Moved to NServiceKit.Common.Web.HttpMethods
Use JsonServiceClient
lPlease call the SetBaseUri(string baseUri) method, which uses the specific implementation's Format property.
Use JsvServiceClient
Use XmlServiceClient
_CorExeMain
mscoree.dll
]t)x>
r@]r)l%cc
7$@P
BCz>8
$<I#SG
)Z([9
*QlvH
t*`0X
NmRy4
a%SX[
H%tXT
F%\X~
mb,~K
F%\X~
H%tXT
H%tXT
SarZs
a%SX[
H%tXT
N%]Xs
N%]Xs
p%dX\
}b$~J
p%dX\
H%tXT
N%]Xs
H%tXT
H%tXT
l%eXc
l%eXc
k*W0]
S/W`p
I%yXb
cb,~K
F%\X~
l%eXc
l%eXc
H%tXT
H%tXT
z*`0Z
p%dX\
}b$~J
p%dX\
C%/g&
N%]Xs
Tb+~o
q%[XZ
I%yXb
cb,~K
F%\X~
C[]L@
S/:)C
dgo~-
kMm]h
j+$8)
S03k3
E%:#n
g*W0X
HYQd;}A
}bG{A
t*W0M
tbF{M
IeC#y{
ZS1b+
PPd\&o
RbH{i
6*Y0g
g*W0Y
lbq{F
j9TA/
9@jJSJ
E*W0Y
0&a{I
Nml{n
a&I{|
ezF{E
LZJ F
FYyYp{e
C]i 0
t*`0H
X+Y)e+%o
%m*}0`
H_H{F
[_(XD
ebq{k
\bl{U
n*}0a
N%1)c
6%H(S
H*Y0q
F%F%0-n
XY6-n
JXN,q
d$;:|
J+K@D
EYkBo
J+KED
EYkFl
bXdOH
EYT*7(q
A*}0t
F*Y0`
x*`0H
F*Y0`
F*Y0w
oXR,p
c+l]K
V%K(+
EYkBo
oXR1q
bYdFI
J+dtG
KXCOG
EYk0m
f*eN1
;jY-%F
D+cln
V&dmJ
c+lnK
sXS$M
rYluI
KXC.E
n+Zrs
n+Zss
bXd3H
J+KWD
J+KWD
sXS[N
MXj8`
L+bWc
KXC0G
L+bwc
J8p1D
oXR,p
c+lqK
K+Frr
oYRBr
sYSFN
D+cYn
MXjO`
c+lYK
L+bYc
EYk,l
rXlOI
n+ZYs
D /W*>rZs
L+bYc
EXk>l
c+lYK
K+FYr
tenZr
c+lYK
KXC=F
K+FYr
s+dYJ
c+lYK
r+[YL
EXkal
n+ZYs
D+cgn
EYT|6(v
s+dhJ
bXd0H
L+b|c
t*h0_
MXj,`
oYRBr
KXCOG
JYN,p
oXR,r
sXSRM
sXSUO
EYkMl
bXdpJ
EYT|6(s
JYNwq
EYkdo
JYq<+(w
sYS@O
oXRjq
oXm9+(K
MXjKa
KXC,F
sXSCM
oXRQr
KXCVG
rXlJI
MXjia
rXloK
EYkgm
MXU=;(G
oXm9+(M
x*`0O
i*W0H
i*W0H
i*W0H
x*`0H
F*Y0f
x*`0H
F*Y0g
i*W0H
i*W0M
F*Y0`
x*`0H
F*Y0g
i*W0H
i*W0H
x*`0H
J*Y0`
J*Y0`
x*`0O
x*`0O
EXk,m
bXd,H
oYRBr
sXS1N
sXS,O
kVnYX
dAB!M
SAE!i
lH1 #
/eC&f=
KXC,G
oYRBr
JXN,q
fk>x~
oYRBr
bXd1I
i*W0H
A*}0q
i*W0H
X+Y)%F
t%q*L
oXR,p
X)f-%G
H 7?<
UC!+%y
MYj$b
KYCuG
oXR0p
rXl0I
EXk,m
KXC0G
JXN$s
oYRup
rXl.K
sXS,O
bXd1I
EYkFl
rXlOI
MXU*:(A
EYk,l
MXjO`
sXS>N
CJ^q2
N+?NB
MXj=a
sXSUO
rXlMH
l-HXD
N-pXT
EXkal
sXSpM
JXq6*(p
sYS@O
x*`0H
F*Y0`
x*`0J
x*`0I
x*`0O
x*`0O
i*W0H
x*`0N
e*W0O
M*}0q
24e0@3B3B9L
PB o(
S/x/M
t#rJ<.o u'eP
m!S;a
R?I
v!E=e
e:n?t+n
l9et. o*t*i
.%a u/sC
a"n(o
.0l)a8
a(e8.0k-pk
a8i%nMV-e<
i0i.s@P
S+lX'l4r-t.r@W
yjC'o
(m m =o
i9tMG!t
i)eeI
c!seU
S)r<i
.&o:n86~
u0d$w
m]C#l&e
S)r<i
.0l#s/
O2D-t/
$e0K.r
E(e&e
0e0K.r
l@2bd&lce(s. P !y
e'u?i
.;s?e8t/r,r
t1r%
m4a9e=t
i*g8O
H<E3D,A
A-C7S
V-l?eC
s]A9t%S
eR=SA9t%S
#b e
e]I?U$i
I*s?a
n e9i
l i9e
c/e/ S !y
s]A9t%S
eR=SA9t%S
i8i/sMP6e8e
s]A9t%S
eR=SA9t%S
l$r%t/rMW6i?e=u
A>r+yMO6
n e9i
T$u%r/
rr(Z;E
b1t.s@P
v%c/scC+p2
a#e&e
a#e&e
tsJ#i$
w7I/e
e't"o
r!t"o
C#l&e
o1r(e=t
hDG.t*i
nsE4i>
o*n03y
dRvG.y
Y1|1t
i#nw"R.t"ke
=Qu>nps
=Qu>nps
application/font-woff
DKFpr
LJcDKnrsLJcDKnrsLJcDKnrsLJcDKnrsLJcDKnrsLJcDKnrsLJcDKnrsLJcDKnrsLJcDKnrsLJcDKnrsLJcDKnrsLJcDKnrsLJcDKnrsLJcDKnrsLJcDKnrsLJcDKnrsLJcDKnrsLJcDKnrsLJcDKnrsLJcDKnrsLJcDKnrsLJcDKnrsLJcDKnrsLJcDKnrsLJcDKnrsLJcDKnrsLJcDKnrsLJcDKnrsLJcDKnrsLJcDKnrsLJcDKnrsLJc
This file is not on VirusTotal.

Process Tree


NEW_ORDE.EXE, PID: 1308, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\NEW_ORDE.EXE
Command Line: "C:\Users\user\AppData\Local\Temp\NEW_ORDE.EXE"

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name filename.exe
Associated Filenames
C:\Users\user\AppData\Roaming\filename.exe
File Size 941568 bytes
File Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 6a518effda014f29780f6ba4185e0b5e
SHA1 dbfa7faeea38fb32739601750fd55b33f89ba350
SHA256 bd5ea6bf76dc29cb0f43fee9aa9470b8a7f7318844eb7203d5951fce1217a525
CRC32 F7CA3D49
Ssdeep 12288:jgbt8oR2a5+JM2jccgdJNi1lm3cNfZtpZRfLNuZgvwkgv0X1TCfFiVsIl/ONlhVn:jk2acMsgde1lm3cNlMZ+vo6qxL+YR
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Type Extracted Shellcode
Size 4096 bytes
Virtual Address 0x00480000
Process NEW_ORDE.EXE
PID 1308
Path C:\Users\user\AppData\Local\Temp\NEW_ORDE.EXE
MD5 9ef8a89549912605d0600e54eac1bb2e
SHA1 2061d2f204908847288a451fc33a186361e76355
SHA256 ad227545ea913eaf1cc9334278ae4182dd0b2aa5315d93e2e9bda824e26785fb
CRC32 B25A99AD
Ssdeep 3:1lV1ltlau+//lFAOUjwqb6Pb:v/1a3tGFwxPb
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 20480 bytes
Virtual Address 0x00480000
Process NEW_ORDE.EXE
PID 1308
Path C:\Users\user\AppData\Local\Temp\NEW_ORDE.EXE
MD5 ca18ae11f16d98ecdf0842a88adca83e
SHA1 31fadde4cc4e4b5f1577f09957314c420bc73527
SHA256 b198b6ccbca4d5c381562e8dfff0d0bfa255ebf7ada07312ced8158215975d0f
CRC32 BBB0CE4C
Ssdeep 192:5dei/oKKoW36+WspJy3ULb+ndK8Kbn/uDIG6AvKgm9WefMNWkD1Ns7qH1Ng4lEMU:KwSGgbmDXY/9EgAtQGlGVSMSDBVdFE
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 12288 bytes
Virtual Address 0x00580000
Process NEW_ORDE.EXE
PID 1308
Path C:\Users\user\AppData\Local\Temp\NEW_ORDE.EXE
MD5 c04e9c0393a506c70b298adce89f488c
SHA1 23fbd9c365b9cb75b107cbd76396813d83899b73
SHA256 4e988e17d4d05fb48ff635f084d784c48be77340cedc1caffdc070edba8249b6
CRC32 64506E3C
Ssdeep 192:j3HTDKtQQXKahc9mLqhf/Tgk6aS3FLQMYQixw6jl/:jD8iahAHTI/LQMTixw6jZ
Yara
  • shellcode - Matched shellcode byte patterns
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 4096 bytes
Virtual Address 0x00440000
Process NEW_ORDE.EXE
PID 1308
Path C:\Users\user\AppData\Local\Temp\NEW_ORDE.EXE
MD5 ee1d33442a93d4352014134fa4f37524
SHA1 b932128d22aeb97105bdf43ed119d6ef4b9cdc4f
SHA256 1f48c18352be905842794d0c3d735da94624e574a7c5d2714efd89a48fc044c7
CRC32 D057845E
Ssdeep 12:D7rqWsiHzJOC6d/q/q/K/K/amSw6snFI4NJRO:H+xiTleFZ8
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 4096 bytes
Virtual Address 0x03BC0000
Process NEW_ORDE.EXE
PID 1308
Path C:\Users\user\AppData\Local\Temp\NEW_ORDE.EXE
MD5 c9b5e0db323f76a5f6ab91a0522274f2
SHA1 fb1f229e82ce3590d5db4337942ffbecd088fc5b
SHA256 9fa48f420f85772ba7c7d9789ee5378bd67b1913d4973742db325bfe13754ceb
CRC32 1868AEF5
Ssdeep 6:1P+X76PvpREuQBFy/LUYsz10+lC7O/PW1lxl//0NG1ShY+GDmhDDbXDn:1dHn/L5sZ0+E7OCt/kG1Shmm/XD
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 4096 bytes
Virtual Address 0x003B0000
Process NEW_ORDE.EXE
PID 1308
Path C:\Users\user\AppData\Local\Temp\NEW_ORDE.EXE
MD5 320b3245d3b31d20d6ca2845010d6d38
SHA1 805aaf31bd4515362e4b88e715058a106258e8a6
SHA256 1ca9defd6caed9371e327790684c6c90224a5a8aaa8c58e6cdd0d16dd442c5f7
CRC32 CE1D8093
Ssdeep 6:iKv/rmC72LrrG8v6/llijmq/bllG4/DG5/llCn:iKvzmmirqm6//ijm6b/G4i5//
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 4096 bytes
Virtual Address 0x003E0000
Process NEW_ORDE.EXE
PID 1308
Path C:\Users\user\AppData\Local\Temp\NEW_ORDE.EXE
MD5 339e54886c2570769c45af0442886ebc
SHA1 dde4deacbbbd892d5c7d1acca1ee0f8bbcdca2db
SHA256 fae402630c13d3507eae14a5c76586801ef36ff02677dbd2a837a9c005b53615
CRC32 9AA03ED5
Ssdeep 3:7FtDlrjrj3mANlPZLlblbF/lbl3xzlblDdnlblfJblblr1PlblHhDlblThb3BlvX:/N
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 4096 bytes
Virtual Address 0x003C0000
Process NEW_ORDE.EXE
PID 1308
Path C:\Users\user\AppData\Local\Temp\NEW_ORDE.EXE
MD5 ee8fb1adff0b869655a3b1934412c505
SHA1 6906f7b8517f48242a076497ea907b09ecd00a8e
SHA256 f5e3c91a6814091fe5c13fc7993b4896e6afeae61d89ea8ee484c0efefab162d
CRC32 C83FB43E
Ssdeep 3:bNlTl:
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 4096 bytes
Virtual Address 0x003D0000
Process NEW_ORDE.EXE
PID 1308
Path C:\Users\user\AppData\Local\Temp\NEW_ORDE.EXE
MD5 d93380c060a5e43094bca0de858050b7
SHA1 6e5f400ddca4b450a947ba84a817c0739187536c
SHA256 711eb14f5d37a6a53f9b29448eb4776fa4277fa36dc3dc406e84d6085875acc1
CRC32 1427C4D1
Ssdeep 3:g/QUXIvyodFIWF5YElXVUQlI9lIBlIFlIJlItmMYt:fUXvoHjTYEHUwA0occI
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 53248 bytes
Virtual Address 0x00480000
Process NEW_ORDE.EXE
PID 1308
Path C:\Users\user\AppData\Local\Temp\NEW_ORDE.EXE
MD5 a702696548c3591716190febb7c7f1a0
SHA1 d4b189f52417d234fd6e30fd0c2cec9fedf8f7e2
SHA256 cb5555374dd0f4c66097ba41fa718d3a9397878703233100ea491fa7cebb49e7
CRC32 BDA5017A
Ssdeep 768:mSGvI/KQ2SjbF9/tk/2ylVbPQYzW0Vzp1/VvDl7Ux9E:mbAKQ2Ob/t4toYzW0P1/ND0E
Yara None matched
CAPE Yara None matched
Download Download ZIP
Sorry! No process dumps.

Comments



No comments posted

Processing ( 4.068 seconds )

  • 1.465 Static
  • 1.276 CAPE
  • 0.437 Dropped
  • 0.393 TargetInfo
  • 0.142 BehaviorAnalysis
  • 0.122 TrID
  • 0.089 Deduplicate
  • 0.069 static_dotnet
  • 0.061 Strings
  • 0.008 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 0.094 seconds )

  • 0.011 antiav_detectreg
  • 0.007 ransomware_files
  • 0.006 stealth_timeout
  • 0.006 antiav_detectfile
  • 0.005 infostealer_ftp
  • 0.004 api_spamming
  • 0.004 InjectionCreateRemoteThread
  • 0.004 decoy_document
  • 0.004 infostealer_bitcoin
  • 0.003 injection_createremotethread
  • 0.003 InjectionProcessHollowing
  • 0.003 injection_runpe
  • 0.003 infostealer_im
  • 0.003 ransomware_extensions
  • 0.002 Doppelganging
  • 0.002 persistence_autorun
  • 0.002 antianalysis_detectreg
  • 0.002 antivm_vbox_files
  • 0.002 browser_security
  • 0.002 infostealer_mail
  • 0.001 tinba_behavior
  • 0.001 InjectionInterProcess
  • 0.001 antidebug_guardpages
  • 0.001 rat_nanocore
  • 0.001 exploit_heapspray
  • 0.001 stack_pivot
  • 0.001 betabot_behavior
  • 0.001 mimics_filetime
  • 0.001 antivm_generic_disk
  • 0.001 dynamic_function_loading
  • 0.001 cerber_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 bot_drive
  • 0.001 disables_browser_warn

Reporting ( 0.001 seconds )

  • 0.001 CompressResults
Task ID 90420
Mongo ID 5d7903adeac9b186706343a4
Cuckoo release 1.3-CAPE
Delete